geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4765) API for Assumed Identity (run-as) support
Date Sun, 26 Jul 2009 16:05:15 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735390#action_12735390
] 

David Jencks commented on GERONIMO-4765:
----------------------------------------

If one made an analogy with transactions, where we have container managed transactions and
UserTransaction for application tx control, in security we have container managed security
and this proposal is a bit like the UserTransaction for security.  IIUC you are proposing
the more robust technique of supplying a Runnable containing the work to do rather than asking
the caller to be sure to end the security context.

Although I am not a fan of run-as one feature I do like is that it effectively provided a
symbolic name for an identity somewhat abstracted from the identity.  I wonder if there's
any way to abstract the identity here into something more like a name.

I'm also not sure that Subject is the best candidate for the identity token we need here.
 In geronimo today what really gets used for security decisions is the AccessControlContext
computed from the Subject and we might want to use a collection of principals in the future.
 (I've been told that there's a quicker way to get to the security evaluation that going through
ACC).  So we might want to come up with a UserIdentity object that contains Subject, ACC,
etc etc and use that instead of the plain Subject.



> API for Assumed Identity (run-as) support
> -----------------------------------------
>
>                 Key: GERONIMO-4765
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4765
>             Project: Geronimo
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.2
>            Reporter: J├╝rgen Weber
>             Fix For: 2.2
>
>
> To programmatically change the currently active subject, at the moment you have to use
the following Geronimo-proprietary code:
> ContextManager.registerSubject(subject);
> Callers oldCallers = ContextManager.pushNextCaller(subject);
> try
> {
> 	// secure code
> }
> finally
> {
> 	ContextManager.popCallers(oldCallers);
> }
> (see http://www.nabble.com/NPE-in-ContextManager.getCurrentContext-ts24645453s134.html)
> There should be a simpler (less Geronimo-dependend code) API analog to javax.security.auth.Subject.doAs()
> (http://java.sun.com/javase/6/docs/api/javax/security/auth/Subject.html#doAs%28javax.security.auth.Subject,%20java.security.PrivilegedExceptionAction%29)
> This API itself cannot be used, see http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html
> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-ts24091806s134.html
> An API for Assumed Identity (run-as) support could be implemented like
> 	public <T> T doAs(Subject subject, PrivilegedExceptionAction<T> action)
> 			throws PrivilegedActionException
> 	{
> 		T t = null;
> 		ContextManager.registerSubject(subject);
> 		Callers oldCallers = ContextManager.pushNextCaller(subject);
> 		try
> 		{
> 			t = action.run();
> 		}
> 		catch (Exception e)
> 		{
> 			throw new PrivilegedActionException(e);
> 		}
> 		finally
> 		{
> 			ContextManager.popCallers(oldCallers);
> 		}
> 		return t;
> 	}
> This code could be put into a method of ContextManager or into a new class org.apache.geronimo.security.Security.

> This would still create a non-portable dependency to Geronimo in user code.
> You would use it like 
> LoginContext lc = new LoginContext("geronimo-admin", handler);
> lc.login();
> Subject subject = lc.getSubject();
> String s = doAs(subject, new PrivilegedExceptionAction<String>()
> {
> 	public String run() throws Exception
> 	{
> 		return null; // secure code
> 	}
> });
> This would be analogous to similar APIs in Weblogic Server or Websphere AS.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message