[jboss-user] [Security & JAAS/JBoss] - Re: JBoss 4.2.3: non-compliant behavior of JACC implementati

kcg do-not-reply at jboss.com
Thu Feb 12 12:01:28 EST 2009


finally I've found out why the JACC is not invoked for the simple servlet demo application! First problem is that I need to mark the resource in web.xml as protected (or use delegation to JACC for unprotected resources feature) and the second is as I think a possible bug in JaccAuthorizationRealm.java in a package org.jboss.web.tomcat.security

The problem is that the class' CTOR contains:

  |    public JaccAuthorizationRealm()
  |    {
  |       policy = Policy.getPolicy();
  |       trace = log.isTraceEnabled();
  |    }

the problem is with policy variable. It's initialized at the construction time, but if the JACC is not loaded yet, then the result is that policy contains reference to standard java.security.Policy instance. When I've changed the code to replace all `policy.' with `Policy.getPolicy().' in the class, then the code starts calling my JACC well (after it's initialization of course).

Question is: is there any way how to prioritize initialization of JACC over the initialization of builtin tomcat? If no, then the JaccAuthorizationRealm class should be fixed probably.

What do you think?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4209626#4209626

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4209626

More information about the jboss-user mailing list