Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@geronimo.apache.org
Received-SPF: pass (athena.apache.org: local policy)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer;
  b=ITARD3FoD0xIjQDOXo59uHAZ4LDpSd+E+aAOtUxyZj8/PK+7J7ujdDQaMjdCnuwt2Pwx76WhJtilyme9Sykj39lSwTDbA4aK76OaGn+gE2ALKjemuB0R1shNAgfmOutZu4jdrkAXlg6RPDV0gJcIbG7S4QqzK7fHsKQ+U6KfuKI=
  ;
Mime-Version: 1.0 (Apple Message framework v753)
In-Reply-To: <16824275.post@talk.nabble.com>
References: <16824275.post@talk.nabble.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <D1089210-37E1-4F6C-BF0A-27290C8E154A@yahoo.com>
Content-Transfer-Encoding: 7bit
From: David Jencks <david_jencks@yahoo.com>
Subject: Re: JAAS with a standalone client
Date: Tue, 22 Apr 2008 09:40:41 -0700
To: user@geronimo.apache.org


On Apr 22, 2008, at 6:45 AM, maho77 wrote:

>
> Hello,
> I have a standalone client, no jee-application client. Now I want  
> to login
> to the server using JAAS, which works until now. But the only  
> principal I
> get from the subject is a server principal. But I need all
> GeronimoGroupPricipals and GeronimoUserPrincipals of the  
> authneticated user
> in the subject on my client, to enable or disable UI elements. I
> investigated in the source code but found no solution for this. Is it
> possible to get the GeronimoPricipals to the client or can I get  
> the server
> subject in any way?
>
> Currently I have a bean that does the same as the corresponding  
> SQLRealm. It
> provides the user and group depending on the user that is currently  
> logged
> in. But I want to avoid this solution.
>
> Can you give me an hint?

Well, I kind of hope you can't get the server side Subject into your  
client :-).  Could I suggest that doing so might not be appropriate  
from a security standpoint?  You don't really know what other  
sensitive info might have been added to the Subject.  Also, I think  
you would be tying your client to a particular login module which  
might not be an appropriate coupling.

What I would suggest considering is to have a server component (ejb?)  
that maps the principals in the Subject to a set of (String) roles  
that are sent back to the client, and that you base the UI stuff on  
these roles.  It's pretty silly that there isn't a getUserRoles()  
call in the ee specs but that is what we have to live with now.   
Anyway I think this would prevent accidentally sending sensitive info  
to the client, and provide some decoupling between the specific login  
module you happen to be using now and your client.

There might be something I've overlooked here, so feel free to try to  
change my mind :-)

thanks
david jencks

>
> Mark
> -- 
> View this message in context: http://www.nabble.com/JAAS-with-a- 
> standalone-client-tp16824275s134p16824275.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>