Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-1723

The JACC policy should be consulted for an 'unauthenticated caller'

XMLWordPrintable

      Currently JACC authorization happens only if the caller is authenticated.
      If the caller is not authenticated, JBoss simply calls the next Interceptor.

      Code snippet from JaccAuthorizationInterceptor.checkSecurityAssociation():
      ...
      // Get the caller, return if there is no authenticated caller
      Subject caller = SecurityActions.getContextSubject();
      if( caller == null )
      return null;
      ...

      Why can an unauthenticated caller invoke 'everything', whereas an authenticated caller gets authorized?

      Of course, it can be assumed that a LoginModule is used.
      We ran into this by using runAs in a MDB.
      Authorization bases on authentication and if authentication was not done properly, an exception would be appropriate.

              starksm64 Scott Stark (Inactive)
              wv-javacoder Roland Räz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: