[jboss-jira] [JBoss JIRA] Commented: (JBWEB-19) Make isUserInRole() and getUserPrincipal() available on unsecured pages

Jeff Schnitzer (JIRA) jira-events at lists.jboss.org
Fri Feb 5 17:26:20 EST 2010 

    [ https://jira.jboss.org/jira/browse/JBWEB-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12510775#action_12510775 ] 

Jeff Schnitzer commented on JBWEB-19:
-------------------------------------

"Too random"?  You must be joking.

Here's what's random:  When you call isUserInRole() or getUserPrincipal() in your code, it works sometimes and doesn't work other times.  This has to do with whether your code was called from a page that was flagged as "secured" in web.xml or not.

What would not be random is for these methods to return your actual login status at all times.

There is nothing that prevents a logged in user from visiting an unsecured page, and it is *very* common for real-world applications to have pages that vary content depending on whether the user is logged in or not.  Say, like the bug tracker I'm wasting my time typing this text into.

My buddies at Kink may actually try to escalate this problem, since they still have workarounds coded for it.  As their former CTO and the original architect of their platform, I still get asked for technical advice, and my advice lately has been to prepare to migrate away from JBoss AS.  They're seriously considering it, and this thread is doing a good job of illustrating the rationale.

> Make isUserInRole() and getUserPrincipal() available on unsecured pages
> -----------------------------------------------------------------------
>
>                 Key: JBWEB-19
>                 URL: https://jira.jboss.org/jira/browse/JBWEB-19
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Core
>         Environment: Any
>            Reporter: Jeff Schnitzer
>            Assignee: Remy Maucherat
>
> Currently getUserPrincipal() returns null and ServletRequest.isUserInRole() always returns false on unsecured pages, even after the user has been authenticated.
> It would be much more useful if these always returned proper values.  This confusion comes up on the JAAS forums frequently.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list