Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 90364 invoked from network); 11 Aug 2006 00:05:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 11 Aug 2006 00:05:24 -0000 Received: (qmail 4646 invoked by uid 500); 11 Aug 2006 00:05:23 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 4002 invoked by uid 500); 11 Aug 2006 00:05:22 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 3991 invoked by uid 99); 11 Aug 2006 00:05:22 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Aug 2006 17:05:22 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of ammulder@gmail.com designates 64.233.182.190 as permitted sender) Received: from [64.233.182.190] (HELO nf-out-0910.google.com) (64.233.182.190) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Aug 2006 17:05:14 -0700 Received: by nf-out-0910.google.com with SMTP id l36so880411nfa for ; Thu, 10 Aug 2006 17:04:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=pPUkrkRohTr+LUSSxZRecvaksDKhPYvFaAbmjkvO6gaLEnQQybVcTRwc/cwTNq/6WVzk1DvmhL7rxDdlbPN0OFizyKhLMtSAjkRMl0NZkaVYk/JxsLZm9JnW5mOBOGlobUdp16IHVoCGowBxJJTggTWxn7BlAHQThThC/TP+2FM= Received: by 10.78.127.2 with SMTP id z2mr1897870huc; Thu, 10 Aug 2006 17:04:46 -0700 (PDT) Received: by 10.78.196.5 with HTTP; Thu, 10 Aug 2006 17:04:46 -0700 (PDT) Message-ID: <74e15baa0608101704j29489a89xd5c16d2f8c48feb4@mail.gmail.com> Date: Thu, 10 Aug 2006 20:04:46 -0400 From: "Aaron Mulder" Sender: ammulder@gmail.com To: dev@geronimo.apache.org Subject: Re: Problems with security propagation between web apps and ejbs In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: 08dc0b644305b494 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I don't understand the cross-context issues, and I don't see how your proposal will result in us honoring null-false-null, especially given that we require a default subject to be set any time security settings are present (which I find a little weird; why not let it be null?). But other that that, your proposal sounds good to me. Thanks, Aaron On 8/10/06, David Jencks wrote: > A user noticed that when their web app called an ejb, despite the > authentication of the user in the web app, in the ejb isCallerinRole > always returns false. I've been investigating this and think we have > some problems in how we handle run-as identities and the > ContextManager currentCaller and nextCaller values. I'm also not > sure where our defaultSubject idea fits into this. I'll try to > summarize my understanding of the specs and what we should be doing, > and make a bit of a proposal. > > I'd really appreciate some review of how I think its supposed to work > and comments on my proposal. I'm working on a patch to implement the > proposal, but I believe we have to do something since what we do now > appears to be broken. > > web apps (2.4 spec): > SRV.12.3 states that the getRemoteUser, isUserInRole, and > getUserPrincipal methods should return null, false, and null if there > is no authenticated user. Following the specs' usual policy of not > discussing cross context dispatch, we are left to guess that even if > a run-as role is specified somewhere the target of a cross-context > dispatch should continue to return null, false, null with no actual > authenticated user. > > SRV.12.7 states that if a run-as element is specified, all calls from > any servlet in the application to an ejb must be done under a subject > associated with the run-as role. > > The spec does not seem to account for the possiblity that calls to > ejbs could be done either pre- or post- user authentication: if a run- > as role is specified, all calls will be made using it whether or not > the user is authenticated. > > We've introduced the concept of a defaultSubject that is used if the > user is not authenticated, but will not interfere with using the > users actual identity when the user is authenticated. IIUC (I > haven't tested) currently the default subject is used in a way that > interferes with the "null, false, null" requirements for > getRemoteUser, isUserInrole, and getUserPrincipal. > > > ejbs: (2.1 spec) > 21.3.4.1 indicates that the run-as identity specified for an ejb does > not affect any security decisions for the ejb itself, but only > specifies the identity to be used when it is calling other ejbs ( I > need to check which identity is used use with resource adapters using > container managed security). Methods such as isCallerInRole use the > caller's identity, not the run-as identity (21.2.5.1) > > ---------------- > > We're keeping track of these two identities in ContextManager > currentCaller and nextCaller (threadLocals). All security decisions > are based on the currentCaller value. When a run-as value is > specified for an ejb, it's put into the nextCaller. When an ejb is > called, the nextCaller value is shifted into the currentCaller: this > is supposed to occur before the run-as is put into the nextCaller. > > My understanding of the requirements is that we should be: > - when a web user is authenticated we should put the subject into > currentCaller and nextCaller. The currentCaller value will be used > for security decisions in the web app, and the nextCaller value for > security decisions on any ejbs it calls. > > - when a run-as role is specified for a web app we put the subject > associated with the run-as role into nextCaller (whether or not the > current user is authenticated) > > - cross context dispatch may replace the nextCaller if run-as is > specified for the target, and the previous nextCaller value needs to > be restored on return. This can never affect currentCaller. > > - defaultSubject (a non-spec concept) should be put into both > currentCaller and nextCaller unless run-as is specifed in which case > run-as goes in the nextCaller. > > ---------------- > > Currently the web security stuff is pretty much ignoring nextCaller > which is causing the authenticated user to be lost in ejb calls: this > causes the problem the user reported. I'm mystified as to how the > tck passes. > > ---------------- > > I think that perhaps we should organize this information into one > object with more explicit operations on the ContextManager: > > class Callers { > Subject currentCaller; > Subject nextCaller; > } > > in ContextManager: > > void setCallers(Subject currentCaller, Subject nextCaller) > > //called for servlet cross context dispatch to set the target app run- > as identity > Callers setNextCaller(Subject nextCaller); > > //called for ejb call to shift the next caller to current caller and > set the next caller to the run-as subject. > // We need either another method with no params for the "no run-as" > case or if null is suppled the nextCaller is not changed > Callers pushNextCaller(Subject nextCaller); > > //called on return from an ejb call or servlet-cross-context-dispatch. > void popCallers(Callers oldCallers); > > This would reduce the number of thread locals in ContextManager by at > least one. > > > Thanks > david jencks > >