geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <jgenen...@savoirtech.com>
Subject Re: LoginDomains and automapping
Date Tue, 23 Nov 2004 18:01:57 GMT
Ok, then this is my mistake.  I assumed you were filling in the Subject 
with the principals, but as I re-read, I saw what you were saying, 
regarding the necessity to continue to call 
ContextManager.getServerSideSubject.

I have some code that Alan and I worked on in the JaasLoginCoordinator 
that populates the subject with the principals that I *think* does the 
"automagically" you referred to in the previous email.  I had the 
JaasLoginService.serverLoginModuleCommit() return a Collection of 
Principals, and then I set these principals in the Subject in the 
JaasLoginCoordinator.ServerLoginModule.commit(), very similarly as the 
ClientLoginModule.  So I believe that in the same JVM, this may do as 
what you stated below.  I have included the patch which we have come up 
with thus far.  This is only for you guys to look at as I have not run 
the unit tests for this yet.

If I am off base here, please set me straight.  I am new to this code 
and am just getting my feet wet in seeing what its doing, so I may end 
up in a few dead ends.

Let me know if you would like me to continue down this path, and I can 
write the unit tests for it and submit the changes.

Jeff

Here is the patch:

Index: src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
        (revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
        (working copy)
@@ -210,7 +210,13 @@
          }

          public boolean commit() throws LoginException {
-            return service.serverLoginModuleCommit(client, index);
+            Collection c =  service.serverLoginModuleCommit(client, index);
+            if (c == null)
+                return false;
+
+            subject.getPrincipals().addAll(c);
+
+            return true;
          }

          public boolean abort() throws LoginException {
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(working copy)
@@ -260,7 +260,7 @@
       * once for each server-side login module that was processed 
before the
       * overall authentication succeeded.
       */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException {
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException {
          JaasSecurityContext context = (JaasSecurityContext) 
activeLogins.get(userIdentifier);
          if(context == null) {
              throw new ExpiredLoginModuleException();
@@ -270,8 +270,16 @@
          }
          JaasLoginModuleConfiguration module = 
context.getModules()[loginModuleIndex];
          boolean result = module.getLoginModule(classLoader).commit();
+
+        if (!result)
+            return null;
+
          context.processPrincipals();
-        return result;
+        Subject s = context.getSubject();
+        if (s == null)
+            return null;
+
+        return s.getPrincipals();
      }

      /**
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
===================================================================
--- 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
   (revision 106054)
+++ 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
   (working copy)
@@ -110,7 +110,7 @@
       * once for each server-side login module that was processed 
before the
       * overall authentication succeeded.
       */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException;
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException;

      /**
       * Indicates that the overall login succeeded.  All login modules 
that were

Aaron Mulder wrote:
> On Mon, 22 Nov 2004, Jeff Genender wrote:
> 
>>This is good...this should get the raw Tomcat JAASRealm to work for 
>>authorization.  I just coded up a special JAASTomcatRealm that called 
>>the ContextManager.getServerSideSubject and now I can ditch it since it 
>>looks like the JaasLoginCoordinator is populating the subject.
> 
> 
> 	I'm not sure you're right -- the JAASTomcatRealm should be using 
> RealmPrincipals, which are not currently returned.  I need to talk this 
> over with Alan:
> 
> Alan D. Cabrera wrote:
> 
>>I think that we should return the realm principals as well for all the
>>same reasons that we have realm principals in the first place.
> 
> 
> 	Last time we talked you wanted to return everything except the 
> RealmPrincipals...  why the change of heart?
> 
> 	What if we change the JaasLoginCoordinator to load the
> RealmPrincipals if it is used within the same JVM as the server, but not
> if it connects over the network?  That may be the best balance of "give
> other server components what they neeed" and "don't expose Geronimo
> security internals to clients".
> 
> Aaron

Mime
View raw message