geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rbaumhof <>
Subject Re: How to use JACC with JAAS in Geronimo
Date Mon, 21 Jul 2008 12:24:20 GMT

according to your hint i found out the following:

In my ejb i now use the statement: subj = ;

This returns the subject as i have set in my JAAS login. I have manipulated
the subject during login - i added an additional principal - and i can see
this principal. This works fine but i did not have to do anything within my
servlet. In particular the statement
ContextManager.setCurrentCallers(subject,subject); was not necessary.

If i use in my ejb the statements:
	SessionContext ctx;
	Principal caller = ctx.getCallerPrincipal();
        if (caller.getName().equals("Unauthenticated"))

a principal is returned whose name is "Unauthenticated".  The reason may be
that my subject has got 3 pricipals, a geronimo user principal, a geronimo
group principal and an additional principal i added during login. So it may
be difficult to dicide which principal should be taken. 

so, this workaround is sufficient for me. It's even much more powerful then
only getting a principals name.

thanks for your help.

djencks wrote:
> On Jul 8, 2008, at 4:20 AM, rbaumhof wrote:
>> Hello,
>> i have problems to notify the ejb container about my authentication.  
>> Beacuse
>> of some special application requirements i can not use the standard  
>> servlet
>> authentication with j_security_check.
> It's not really relevant, but I'd like to know why you can't use  
> normal form authentication.
>> Therfore i perform login by myself
>> using jaas with a geronimo sql security realm. This works fine.  
>> However
>> after the login SessionContext.getCallerPrincipal().getName() returns
>> "Unauthenticated".
> If your app does the authentication rather than relying on a built-in  
> authentication method you will need to hook into the geronimo security  
> mechanism the same way the built-in authentication methods do.  The  
> best way to do this would be by writing your own jaspi  
> ServerAuthModule, but jaspi support is not implemented yet (I'm  
> working on it in trunk).
> Assuming that your authentication system will be storing the Subject  
> from the security realm login in the http session, you need a filter  
> that does something like this:
> Subject subject = getSubjectFromSession(request);
> ContextManager.setCurrentCallers(subject,subject);
> This will not enable any container managed web security since by the  
> time you get to a filter the security checks will already have been  
> performed, but you should be able to use this with container managed  
> ejb security. Note also that run-as roles in servlets won't work in  
> any servlet that this filter applies to.
> Assuming this works (I've never tried it) we should consider supplying  
> this filter with geronimo, perhaps as a plugin.
>> The try to use
>> (hint  
>> of
>> David Jencks, see
>> returns null. Because i use my own filter servlet to watch the web  
>> sites, i
>> don't use any declarative role mapping in web.xml. I had to remove  
>> this
>> because tomcat was not notified about the login.
>> My question is "what do i have to do to make
>> SessionContext.getCallerPrincipal().getName() work. It should not  
>> return
>> "Unauthenticated".
> Unless you use container managed authentication, it actually should  
> return "unauthenticated".  However by hooking into the container  
> managed security system as suggested above you may be able to do what  
> you want.
> Please let us know if this works.
> thanks
> david jencks
>> much thanks in advance
>> -- 
>> View this message in context:
>> Sent from the Apache Geronimo - Users mailing list archive at  

View this message in context:
Sent from the Apache Geronimo - Users mailing list archive at

View raw message