[jboss-user] [Security & JAAS/JBoss] - Re: Basic auth apache fronting JBoss!
java123
do-not-reply at jboss.com
Tue Jan 8 16:21:31 EST 2008
After doing some extra digging this is what I found out.
JBossSecurityMgrRealm created a roleMap keyed by principal(SimplePrincipal) . When user only get authenticated bu JBoss, request does not contain principle therefore authenticate method is called in JBossSecurityMgrRealm. Here SimplePrincipal object is created by the passed in user name and then roles lookup by this key.
BUT!!! If user get initially authenticated by the web server(apache) then CayoteInvoker that handles request for tomcat sees that user exist in request then creates a CayotePrincipal with in a request. Now the authenticate of JBossSecurityMgrRealm is NOT called. Role look up fails because roles are keyed by SimplePrincipal and look up is done with CayotePrincipal object.
I hope what I said makes sense to everyone. But this is causing a problem for us. I am sure someone else ran into this before. How do we get around it?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4118075#4118075
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4118075
More information about the jboss-user
mailing list