portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randy Watler (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-496) J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin role attempts to log in
Date Wed, 01 Mar 2006 09:07:50 GMT
     [ http://issues.apache.org/jira/browse/JS2-496?page=all ]
Randy Watler resolved JS2-496:

    Fix Version: 2.1-dev
     Resolution: Fixed
      Assign To: Randy Watler

JS2-496 fix - Support strict interpretation of authenticated role names in web.xml for tomcat

- the '*' role name in <auth-constraint> tags is interpreted as any role define in the
  webapp web.xml file, (not any role the application chooses to pass in the JAAS subject).

- test for authenticated user using psuedo role returned to container using JAAS subject:


- portal user psuedo role name can be specified in security-atn.xml configuration.

- default portal user psuedo role name is 'portal-user'.

- user roles defined in J2 remain included in the subject for those that wish to use
  finer grain tests at the container level.

- this feature may be refined if container managed security is refactored to support
  J2EE style role usage patterns.

> J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin
role attempts to log in
> -----------------------------------------------------------------------------------------------------------------
>          Key: JS2-496
>          URL: http://issues.apache.org/jira/browse/JS2-496
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-FINAL
>  Environment: Tomcat 5.5.15 (JDK 1.5, Apache 2, Fedora Core 3)
>     Reporter: Aaron Evans
>     Assignee: Randy Watler
>      Fix For: 2.1-dev

> When J2 is deployed on tomcat 5.5.15, whenever any user that does not have the admin
role logs in, a 403 is returned for the URI /login/redirector.
> This does not occur on earlier releases of tomcat (5.5.9 for example).
> The user is in fact authenticated, for if you delete the /login/redirector from the URL
in the browser and refresh, then the main page of the portal is shown and the user is authenticated.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message