Details
Description
ServletEnvironmentRequest wraps only the frist HttpServletRequest in session, and from this came the problem of using isUserInRole from ExternalContext
when using JAAS security (not Acegi).
I've observed that when in web.xml I add login-config with auth-method set to BASIC IceFaces wraps in ServletEnvironmentRequest first request which is simply a request to access an application without loaded users roles. After this first reqest server sends information about authorization, and if it success the second requst will have all information about roles and pricipals.
I thinkt that even wrapping only the frist request won't causes this bug it should be always actualized, so developer can access current request not the one from starting the session.
when using JAAS security (not Acegi).
I've observed that when in web.xml I add login-config with auth-method set to BASIC IceFaces wraps in ServletEnvironmentRequest first request which is simply a request to access an application without loaded users roles. After this first reqest server sends information about authorization, and if it success the second requst will have all information about roles and pricipals.
I thinkt that even wrapping only the frist request won't causes this bug it should be always actualized, so developer can access current request not the one from starting the session.
This bug also make application unable to call secured EJB methods.