Return-Path: 
 <dev-return-10421-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 66811 invoked from network); 23 Nov 2004 18:02:35 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 23 Nov 2004 18:02:35 -0000
Received: (qmail 49273 invoked by uid 500); 23 Nov 2004 18:02:16 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 49249 invoked by uid 500); 23 Nov 2004 18:02:16 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
list-post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 49232 invoked by uid 99); 23 Nov 2004 18:02:16 -0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: domain of jgenender@savoirtech.com
 designates 209.181.65.237 as permitted sender)
Received: from [209.181.65.237] (HELO sun.savoirtech.com) (209.181.65.237)
  by apache.org (qpsmtpd/0.28) with SMTP; Tue, 23 Nov 2004 10:02:13 -0800
Received: from [170.152.67.208] ([10.197.197.20])
	by sun.savoirtech.com (8.12.11/8.12.11) with ESMTP id iANI1x0B002645
	for <dev@geronimo.apache.org>; Tue, 23 Nov 2004 11:01:59 -0700
Message-ID: <41A37B15.9010106@savoirtech.com>
Date: Tue, 23 Nov 2004 11:01:57 -0700
From: Jeff Genender <jgenender@savoirtech.com>
User-Agent: Mozilla Thunderbird 0.9 (Macintosh/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: dev@geronimo.apache.org
Subject: Re: LoginDomains and automapping
References: <FF7CE36846E01B439945B55FFB1DF5BE086397@mail.toolazydogs.com>
 <41A2C9FC.1000907@savoirtech.com>
 <Pine.LNX.4.58.0411230934300.8856@saturn.opentools.org>
In-Reply-To: <Pine.LNX.4.58.0411230934300.8856@saturn.opentools.org>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-101.4 required=5.6 tests=AWL,BAYES_20,
	USER_IN_WHITELIST autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on sun.savoirtech.com
X-Virus-Scanned: clamd / ClamAV version 0.74, clamav-milter version 0.74a
	on sun.savoirtech.com
X-Virus-Status: Clean
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Ok, then this is my mistake.  I assumed you were filling in the Subject 
with the principals, but as I re-read, I saw what you were saying, 
regarding the necessity to continue to call 
ContextManager.getServerSideSubject.

I have some code that Alan and I worked on in the JaasLoginCoordinator 
that populates the subject with the principals that I *think* does the 
"automagically" you referred to in the previous email.  I had the 
JaasLoginService.serverLoginModuleCommit() return a Collection of 
Principals, and then I set these principals in the Subject in the 
JaasLoginCoordinator.ServerLoginModule.commit(), very similarly as the 
ClientLoginModule.  So I believe that in the same JVM, this may do as 
what you stated below.  I have included the patch which we have come up 
with thus far.  This is only for you guys to look at as I have not run 
the unit tests for this yet.

If I am off base here, please set me straight.  I am new to this code 
and am just getting my feet wet in seeing what its doing, so I may end 
up in a few dead ends.

Let me know if you would like me to continue down this path, and I can 
write the unit tests for it and submit the changes.

Jeff

Here is the patch:

Index: src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
        (revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
        (working copy)
@@ -210,7 +210,13 @@
          }

          public boolean commit() throws LoginException {
-            return service.serverLoginModuleCommit(client, index);
+            Collection c =  service.serverLoginModuleCommit(client, index);
+            if (c == null)
+                return false;
+
+            subject.getPrincipals().addAll(c);
+
+            return true;
          }

          public boolean abort() throws LoginException {
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(working copy)
@@ -260,7 +260,7 @@
       * once for each server-side login module that was processed 
before the
       * overall authentication succeeded.
       */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException {
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException {
          JaasSecurityContext context = (JaasSecurityContext) 
activeLogins.get(userIdentifier);
          if(context == null) {
              throw new ExpiredLoginModuleException();
@@ -270,8 +270,16 @@
          }
          JaasLoginModuleConfiguration module = 
context.getModules()[loginModuleIndex];
          boolean result = module.getLoginModule(classLoader).commit();
+
+        if (!result)
+            return null;
+
          context.processPrincipals();
-        return result;
+        Subject s = context.getSubject();
+        if (s == null)
+            return null;
+
+        return s.getPrincipals();
      }

      /**
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
===================================================================
--- 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
   (revision 106054)
+++ 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
   (working copy)
@@ -110,7 +110,7 @@
       * once for each server-side login module that was processed 
before the
       * overall authentication succeeded.
       */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException;
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException;

      /**
       * Indicates that the overall login succeeded.  All login modules 
that were

Aaron Mulder wrote:
> On Mon, 22 Nov 2004, Jeff Genender wrote:
> 
>>This is good...this should get the raw Tomcat JAASRealm to work for 
>>authorization.  I just coded up a special JAASTomcatRealm that called 
>>the ContextManager.getServerSideSubject and now I can ditch it since it 
>>looks like the JaasLoginCoordinator is populating the subject.
> 
> 
> 	I'm not sure you're right -- the JAASTomcatRealm should be using 
> RealmPrincipals, which are not currently returned.  I need to talk this 
> over with Alan:
> 
> Alan D. Cabrera wrote:
> 
>>I think that we should return the realm principals as well for all the
>>same reasons that we have realm principals in the first place.
> 
> 
> 	Last time we talked you wanted to return everything except the 
> RealmPrincipals...  why the change of heart?
> 
> 	What if we change the JaasLoginCoordinator to load the
> RealmPrincipals if it is used within the same JVM as the server, but not
> if it connects over the network?  That may be the best balance of "give
> other server components what they neeed" and "don't expose Geronimo
> security internals to clients".
> 
> Aaron