geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maho77 <>
Subject Re: JAAS with a standalone client
Date Thu, 24 Apr 2008 06:16:30 GMT

djencks wrote:
> Well, I kind of hope you can't get the server side Subject into your  
> client :-).  Could I suggest that doing so might not be appropriate  
> from a security standpoint?  You don't really know what other  
> sensitive info might have been added to the Subject.  Also, I think  
> you would be tying your client to a particular login module which  
> might not be an appropriate coupling.
> What I would suggest considering is to have a server component (ejb?)  
> that maps the principals in the Subject to a set of (String) roles  
> that are sent back to the client, and that you base the UI stuff on  
> these roles.  It's pretty silly that there isn't a getUserRoles()  
> call in the ee specs but that is what we have to live with now.   
> Anyway I think this would prevent accidentally sending sensitive info  
> to the client, and provide some decoupling between the specific login  
> module you happen to be using now and your client.
> There might be something I've overlooked here, so feel free to try to  
> change my mind :-)
> thanks
> david jencks


I currently use a login module that calls a stateless bean with the user
credentials. The bean itself takes the user that accesses the bean a return
all his groups to the client. The client turns the groups into principals
and so on

This works, but I don't like this way. 

On a client there is a need to hide UI elements from the user in some ways,
The user wants to login one time to the client.
Than I have to hide some UI elements e.g. for the whole admin module, if the
user has no access rights for it. And further I only need this information
for hiding UI elements. The logic happens on the geronimo server and the ejb
components are secured with roles. That means if I want to access to the
logic, the server security handles the access, not the client. The client
only has to know the user credentials and the realm. 

I know it's a philosophical problem. So see this reply just as a statement,
from my point of view. I have no web client that's the problem I have ;-)

Have a nice day

View this message in context:
Sent from the Apache Geronimo - Users mailing list archive at

View raw message