-
1. Re: Using isUserInRole() on unsecured page
ahardy66 Mar 25, 2004 10:17 AM (in response to huck)Huck,
is your embedded tomcat 4.x or 5.x?
AFAIK tomcat 5.x standalone invokes this behaviour as well, PITA that it may be.
While I mostly hold the servlet spec team & tomcat (& increasingly the JBoss) developers in high regard for the quality of their decisions, in this case it smacks to me of 'nanny-ism'.
I believe it is done in the cause of increased security, although I am not quite clear and haven't been able to get a clear answer out of anybody (but I'm still trying). I have even been trying to get hold of the servlet spec team contact address, but haven't got there yet.
Adam -
2. Re: Using isUserInRole() on unsecured page
huck Mar 25, 2004 1:33 PM (in response to huck)Adam,
I was using the default embedded Tomcat for JBoss 3.2.3, which is 4.1.29. I compared it with the same version of the standalone product, with which the behavior differs. According to the last post in the thread at http://www.jboss.org/index.html?module=bb&op=viewtopic&t=26355,
something has been added to the 2.4 servlet spec that supports our position -- in section (SRV.12.10 Login and Logout) it says
"Being logged in to a web application corresponds precisely to there being a valid non-null value in getUserPrincipal method, discussed in SRV.12.3".
Under this, the current behavior of JBoss will be equivalent to forcibly logging out a user every time he goes from a secured to an unsecured page.
Barry -
3. Re: Using isUserInRole() on unsecured page
ahardy66 Mar 25, 2004 3:05 PM (in response to huck)That is just your interpretation of the spec. It doesn't mention what should happen on pages that are not under any security constraint.
I have to admit though that I am not prepared to read the whole spec from back to front to find out if they do mention what should happen anywhere, because I'm pretty sure they do.
These guys interpret it, program their container and we use it.
As I said though, I am trying to find out more in order to understand why they are doing it. Once I understand why, if I still disagree, then I'll probably launch some sort of petition to get it changed. I knew I wasn't the only one affected, but just how many of us there are, I don't know. -
4. Re: Using isUserInRole() on unsecured page
mbeyer73 Mar 24, 2005 9:55 AM (in response to huck)I just found out this workaround:
1. Copy the the secured directory to an unsecured directory each time on build.
2. Let a Filter log in to the unsecured pages automatically with a "guest account" (the methods will still return null there BUT you can access secured EJBs).
Seems to work! What do you think?
Cheers!
Marcus -
5. Re: Using isUserInRole() on unsecured page
lhoriman Apr 17, 2005 6:58 AM (in response to huck)"ahardy66" wrote:
These guys interpret it, program their container and we use it.
What I like about JBoss is that it isn't just a dumb implementation of a spec. Fleury & Co can "do it right" no matter what the spec says.
It's pretty clear that the J2EE integrated security parts of the servlet spec are seriously deficient. I was making these exact same complaints four years ago and it's still not fixed. Just try implementing a "remember me" checkbox... you can't without bypassing the system entirely.
Useful software trumps "compliant" software...
Jeff