geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Genender" <jgenen...@savoirtech.com>
Subject Re: LoginDomains and automapping
Date Wed, 24 Nov 2004 20:07:05 GMT
Aaron,

Thanks for the reply.  I took the JAASRealm code from Tomcat, and made a
Geronimo version which makes a call to ContextManager.getServerSideSubject
after obtaining the subject.  I will test this when I get home tonight.

I very interested in discussing the long term approach with you as I would
like to begin thinking in this direction.

Thanks for the input, it is appreciated.

Jeff

> Jeff,
> 	According to a conversating I just had with Alan, the other
> container modules use a method of authorization with JACC that doesn't
> require the containers to access all the principals.  Basically, they just
> give JACC the Subject containing an IdentificationPrincipal (which you
> have), and our JACC implementation looks up the proper Subject and does
> the calculations all on its side.
>
> 	Alan thought that maybe Tomcat does authorization differently
> (using Subject.doAs), in which case Tomcat would specifically need all the
> RealmPrincipals to be present.  However, as that appears to be fairly
> slow, it's not ideal anyway.
>
> 	So in the short term, you should probably try to insert a call to
> ContextManager.getServerSideSubject which will get you all the
> RealmPrincipals too.  If you really have trouble inserting the call in
> there, worst case, you could create a wrapper LoginModule that calls our
> JaasLoginCoordinator LoginModule and then calls
> ContextManager.getServerSideSubject and writes all the RealmPrincipals
> into the Subject that will be returned to the caller.  In the long term,
> we'd like to adjust the interface between Tomcat and Geronimo to use a
> different authorization method, which will mean the RealmPrincipals are no
> longer necessary.
>
> Aaron
>
> On Tue, 23 Nov 2004, Jeff Genender wrote:
>> Ok, then this is my mistake.  I assumed you were filling in the Subject
>> with the principals, but as I re-read, I saw what you were saying,
>> regarding the necessity to continue to call
>> ContextManager.getServerSideSubject.
>>
>> I have some code that Alan and I worked on in the JaasLoginCoordinator
>> that populates the subject with the principals that I *think* does the
>> "automagically" you referred to in the previous email.  I had the
>> JaasLoginService.serverLoginModuleCommit() return a Collection of
>> Principals, and then I set these principals in the Subject in the
>> JaasLoginCoordinator.ServerLoginModule.commit(), very similarly as the
>> ClientLoginModule.  So I believe that in the same JVM, this may do as
>> what you stated below.  I have included the patch which we have come up
>> with thus far.  This is only for you guys to look at as I have not run
>> the unit tests for this yet.
>>
>> If I am off base here, please set me straight.  I am new to this code
>> and am just getting my feet wet in seeing what its doing, so I may end
>> up in a few dead ends.
>>
>> Let me know if you would like me to continue down this path, and I can
>> write the unit tests for it and submit the changes.
>>
>> Jeff
>>
>> Here is the patch:
>>
>> Index:
>> src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>> ===================================================================
>> --- src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>>         (revision 106054)
>> +++ src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>>         (working copy)
>> @@ -210,7 +210,13 @@
>>           }
>>
>>           public boolean commit() throws LoginException {
>> -            return service.serverLoginModuleCommit(client, index);
>> +            Collection c =  service.serverLoginModuleCommit(client,
>> index);
>> +            if (c == null)
>> +                return false;
>> +
>> +            subject.getPrincipals().addAll(c);
>> +
>> +            return true;
>>           }
>>
>>           public boolean abort() throws LoginException {
>> Index: src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> ===================================================================
>> --- src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> (revision 106054)
>> +++ src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> (working copy)
>> @@ -260,7 +260,7 @@
>>        * once for each server-side login module that was processed
>> before the
>>        * overall authentication succeeded.
>>        */
>> -    public boolean serverLoginModuleCommit(JaasClientId userIdentifier,
>> int loginModuleIndex) throws LoginException {
>> +    public Collection serverLoginModuleCommit(JaasClientId
>> userIdentifier, int loginModuleIndex) throws LoginException {
>>           JaasSecurityContext context = (JaasSecurityContext)
>> activeLogins.get(userIdentifier);
>>           if(context == null) {
>>               throw new ExpiredLoginModuleException();
>> @@ -270,8 +270,16 @@
>>           }
>>           JaasLoginModuleConfiguration module =
>> context.getModules()[loginModuleIndex];
>>           boolean result = module.getLoginModule(classLoader).commit();
>> +
>> +        if (!result)
>> +            return null;
>> +
>>           context.processPrincipals();
>> -        return result;
>> +        Subject s = context.getSubject();
>> +        if (s == null)
>> +            return null;
>> +
>> +        return s.getPrincipals();
>>       }
>>
>>       /**
>> Index:
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>> ===================================================================
>> ---
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>>    (revision 106054)
>> +++
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>>    (working copy)
>> @@ -110,7 +110,7 @@
>>        * once for each server-side login module that was processed
>> before the
>>        * overall authentication succeeded.
>>        */
>> -    public boolean serverLoginModuleCommit(JaasClientId userIdentifier,
>> int loginModuleIndex) throws LoginException;
>> +    public Collection serverLoginModuleCommit(JaasClientId
>> userIdentifier, int loginModuleIndex) throws LoginException;
>>
>>       /**
>>        * Indicates that the overall login succeeded.  All login modules
>> that were
>>
>> Aaron Mulder wrote:
>> > On Mon, 22 Nov 2004, Jeff Genender wrote:
>> >
>> >>This is good...this should get the raw Tomcat JAASRealm to work for
>> >>authorization.  I just coded up a special JAASTomcatRealm that called
>> >>the ContextManager.getServerSideSubject and now I can ditch it since
>> it
>> >>looks like the JaasLoginCoordinator is populating the subject.
>> >
>> >
>> > 	I'm not sure you're right -- the JAASTomcatRealm should be using
>> > RealmPrincipals, which are not currently returned.  I need to talk
>> this
>> > over with Alan:
>> >
>> > Alan D. Cabrera wrote:
>> >
>> >>I think that we should return the realm principals as well for all the
>> >>same reasons that we have realm principals in the first place.
>> >
>> >
>> > 	Last time we talked you wanted to return everything except the
>> > RealmPrincipals...  why the change of heart?
>> >
>> > 	What if we change the JaasLoginCoordinator to load the
>> > RealmPrincipals if it is used within the same JVM as the server, but
>> not
>> > if it connects over the network?  That may be the best balance of
>> "give
>> > other server components what they neeed" and "don't expose Geronimo
>> > security internals to clients".
>> >
>> > Aaron
>>
>


Mime
View raw message