portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Lipp (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-302) Password change not propagated to JBoss
Date Thu, 29 Sep 2005 07:10:49 GMT
    [ http://issues.apache.org/jira/browse/JS2-302?page=comments#action_12330779 ] 

Michael Lipp commented on JS2-302:

I accept closing this issue. I just want to point out that the problem is not JBoss specific
(though a solution may be). AFAIK, *every* Servlet container saves the credentials obtained
from form based login somehow and re-uses them when accessing (secured) EJBs. So anyone using
a portlet that accesses secured EJBs will run into this problem, independant of the AS used.

It has always been a shortcoming of the servlet specification that there is no API to put
new credentials in the store. The problem is well known. E.g. if you have a Web service, you
cannot use form based authentication, yet you need to set credentials (coming with the request)
if you want to access (secured) EJBs from your servlet (most people ignore the risks that
arise from having unsecured EJBs and never notice, though). However, the AS specific solutions
from the Web service domain are not easily transferable to Jetspeed.

The only portable solution I can think of currently is (1) automatically logging the user
out after a password change and requesting him to re-login (I have seen this on some sites)
or (2) generating a response that makes the browser submit the authentication form with the
new credentials automatically (requires JavaScript).

I'll keep the issue on my list and look at it again if I have the time.

> Password change not propagated to JBoss
> ---------------------------------------
>          Key: JS2-302
>          URL: http://issues.apache.org/jira/browse/JS2-302
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-dev/cvs
>  Environment: JBoss/HSQL
>     Reporter: Michael Lipp
>     Assignee: Ate Douma
>      Fix For: 2.0-M4

> In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) are save
in some "global variables" during login. This information is subsequently used when a servlet
tries to access an EJB. This happens in the security "adaption layer" of tomcat.
> If a user changes his or her password, the saved credentials are not updated, and as
a consequence all accesses to EJBs fail. A workaround is to logout and re-login after a password
change (for the advanced user who knows what happens ;-)).

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message