geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maho77 <>
Subject Re: JAAS with a standalone client
Date Fri, 25 Apr 2008 13:59:26 GMT

djencks wrote:
> I think that sending the server-side subject back to a client is apt  
> to be more than a philosophical problem. 

As I spoke philosophical problem, I had in mind that I have to deal with a
standalone client instead of a web application.
JAAS works very well in web-apps. I wouldn't have such problems with a

djencks wrote:
>  In general, you don't know  
> what information other than the principals you are interested in may  
> be in the subject.  For instance in geronimo if you want to access a  
> remote secured web service you put the credentials for the web service  
> in the Subject.  These may be credentials for the server to access the  
> web service, not for the user of the server.  Leaking these to the  
> user/client program could be a serious security violation.  In order  
> to do this, you would need verification that the client program is  
> authorized to get the credentials: presumably this would involve  
> signing the code and communicating this somehow to the server.

Now I understand. Yes, you're absolutely right. I only saw my simple user
and group principals but there could be more. 
In my case the client should only get the information that belong to him. I
already solved this problem using an stateless bean.

djencks wrote:
> Instead of this likely-to-be-risky exposure, if you just make the user  
> roles available to the client, you are unlikely to be sending  
> particularly sensitive information.  Could I ask what kind of security  
> system you are using on the client that requires principals?

I use the Eclipse RCP. In version 3.4 JAAS support was introduced. So I use
JAAS on the client side too. What I currently do is mapping roles only to
group principals on server-side. So in my system there is one group for each
role. The groups are my roles. The client gets the groups from a stateless
bean and turns them into my own ClientRolePrincipals. I want the
authorization on the client-side too. The RCP can handle certain parts. I
just want to write my permissions and an own Policy implementation. In the
first step I introduced only realm, username, password authentication. 

I would like to thank you for your comments. Now I think that my stateless
bean solution isn't as bad as I thought.

View this message in context:
Sent from the Apache Geronimo - Users mailing list archive at

View raw message