[jboss-jira] [JBoss JIRA] Updated: (JBAS-7698) Principal information used to check web security constraints should be read from Subject
Remy Maucherat (JIRA)
jira-events at lists.jboss.org
Fri Feb 5 10:57:20 EST 2010
[ https://jira.jboss.org/jira/browse/JBAS-7698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remy Maucherat updated JBAS-7698:
---------------------------------
Affects Version/s: JBossAS-5.1.0.GA
Assignee: Anil Saldhana (was: Remy Maucherat)
The subject is a fairly arbitrary construct, and I doubt it is a good idea to support mutating security information anyway. Reassigning so that it gets reviwed.
> Principal information used to check web security constraints should be read from Subject
> ----------------------------------------------------------------------------------------
>
> Key: JBAS-7698
> URL: https://jira.jboss.org/jira/browse/JBAS-7698
> Project: JBoss Application Server
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-5.1.0.GA
> Environment: RHEL, JDK6u12, JBossAS 5.0.1
> Reporter: eugene75
> Assignee: Anil Saldhana
> Priority: Minor
>
> The JBossGenericPrincipal instance constructed and cached by JBossWebRealm.authenticate() creates a copy of Subject caller principal, roles, password. Therefore any modifications to the subject during the user's session and not propagated to the JBossGenericPrincipal. It would be preferable if the data returned by JBossGenericPrincipal came directly from the Subject object itself.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list