Menu
▾
▴
#71 Update handling of unauthenticated users
The default security manager(JaasSecurityManager) has
been updated to handle anonymous users that are
represented by a null principal and credentials when
such a user is authenticated by the login modules
configured for the security domain. The principal
assigned to the authenticated subject is used as the
callerPrincipal and subsequent request to validate a
null principal with a null credential are handled
correctly.
The
org.jboss.security.auth.spi.UsernamePasswordLoginModule
now supports an unauthenticatedIdentity property
which defines the name of the principal that will be
used when a null username and password are presented.
This means that the DatabaseServerLoginModule,
LdapLoginModule, UsersRolesLoginModule all suppor this
option. The default "other" auth.conf entry shows a
UsersRolesLoginModule setup that maps anonymous users
to the principal name "nobody".
An example of an MDB accessing a secured entity bean
using a run-as role has been added to the jbosstest
suite security unit tests to demonstrate this feature.