geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Problem with getCallerPrincipal().getName()
Date Fri, 10 Jun 2005 06:08:25 GMT
I noticed some of this recently too.

I think there are at least two things to discuss here:

1. Why is the caller principal (one of the) group principals.  In  
general, how is the caller principal determined?
-- I'm not sure about the answer to this, I hope to have some time to  
investigate soon, but it may be a while.

2. Should getName() from one of our RealmPrincipals return an  
explanatory string or just the getName() of the wrapped principal?
-- It makes sense to me to return the name of the wrapped principal.

I think it would be a good idea to file a jira issue on at least the  
first of these.  With a little discussion we can probably settle (2)  
quickly.

Thanks
david jencks


On Jun 9, 2005, at 9:32 PM, Ivan S. Dubrov wrote:

> Hello,
>
> I wish to use J2EE security for both Web module and EJB module. So I  
> configured realm, mapped principals to the security roles, develop  
> appropriate J2EE deployment descriptors. Declarative role-based  
> security works perfectly.
>
> When it turns to the programmatic security I have problems determining  
> logged in user name in the EJB module. In the Web module everything is  
> OK, I can call request.getUserPrincipal().getName() and it return  
> authorized user name (for example, "joe"). But when I try to get user  
> name from the EJB with the EJBContext.getCallerPrincipal().getName(),  
> I get the following string:
>
> "MyRealm: 
> [org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal: 
> manager]"
>
> I can only get user group from this string, "manager", but not the  
> user name. So it seems to me that important piece of information, user  
> identity, is lost while propagating security context from the Web  
> module to the EJB module.
>
> It looks to me like a design flaw.
>
> Any comments on this? How can I overcome this problem? I do not want  
> to pass username as a parameter to the EJB, since this is not secure  
> (user calling EJB can pass somebody else name). Of course, in my case  
> these calls can be performed only from the Web module, but anyway.
>
> Ivan Dubrov
>


Mime
View raw message