[jboss-jira] [JBoss JIRA] Closed: (JBAS-6243) EJB2: Reintroduce explicit run as check before authentication
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Tue Nov 25 16:45:37 EST 2008
[ https://jira.jboss.org/jira/browse/JBAS-6243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anil Saldhana closed JBAS-6243.
-------------------------------
Resolution: Done
> EJB2: Reintroduce explicit run as check before authentication
> --------------------------------------------------------------
>
> Key: JBAS-6243
> URL: https://jira.jboss.org/jira/browse/JBAS-6243
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: EJB2
> Affects Versions: JBossAS-5.0.0.CR2
> Reporter: Anil Saldhana
> Assignee: Anil Saldhana
> Priority: Critical
> Fix For: JBossAS-5.0.0.GA
>
>
> Long ago I moved the checks for RunAs semantics to the Identity Trust Framework. But ITF can be an overhead and can be disabled by default by the user. The Java EE spec behavior is to bypass authentication and validate the incoming run as in the authorization zone. This explicit check needs to be reintroduced in the security interceptor.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list