geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rbaumhof <ralf.baum...@web.de>
Subject Re: How to use JACC with JAAS in Geronimo
Date Mon, 21 Jul 2008 12:24:20 GMT

according to your hint i found out the following:

In my ejb i now use the statement:
javax.security.auth.Subject subj =
org.apache.geronimo.security.ContextManager.getCurrentCaller() ;

This returns the subject as i have set in my JAAS login. I have manipulated
the subject during login - i added an additional principal - and i can see
this principal. This works fine but i did not have to do anything within my
servlet. In particular the statement
ContextManager.setCurrentCallers(subject,subject); was not necessary.

If i use in my ejb the statements:
	@Resource
	SessionContext ctx;
	Principal caller = ctx.getCallerPrincipal();
        if (caller.getName().equals("Unauthenticated"))
           sysout("unauthenticated...");

a principal is returned whose name is "Unauthenticated".  The reason may be
that my subject has got 3 pricipals, a geronimo user principal, a geronimo
group principal and an additional principal i added during login. So it may
be difficult to dicide which principal should be taken. 

so, this workaround is sufficient for me. It's even much more powerful then
only getting a principals name.

thanks for your help.



djencks wrote:
> 
> 
> On Jul 8, 2008, at 4:20 AM, rbaumhof wrote:
> 
>>
>> Hello,
>>
>> i have problems to notify the ejb container about my authentication.  
>> Beacuse
>> of some special application requirements i can not use the standard  
>> servlet
>> authentication with j_security_check.
> 
> It's not really relevant, but I'd like to know why you can't use  
> normal form authentication.
> 
>> Therfore i perform login by myself
>> using jaas with a geronimo sql security realm. This works fine.  
>> However
>> after the login SessionContext.getCallerPrincipal().getName() returns
>> "Unauthenticated".
> 
> If your app does the authentication rather than relying on a built-in  
> authentication method you will need to hook into the geronimo security  
> mechanism the same way the built-in authentication methods do.  The  
> best way to do this would be by writing your own jaspi  
> ServerAuthModule, but jaspi support is not implemented yet (I'm  
> working on it in trunk).
> 
> Assuming that your authentication system will be storing the Subject  
> from the security realm login in the http session, you need a filter  
> that does something like this:
> 
> Subject subject = getSubjectFromSession(request);
> ContextManager.setCurrentCallers(subject,subject);
> 
> This will not enable any container managed web security since by the  
> time you get to a filter the security checks will already have been  
> performed, but you should be able to use this with container managed  
> ejb security. Note also that run-as roles in servlets won't work in  
> any servlet that this filter applies to.
> 
> Assuming this works (I've never tried it) we should consider supplying  
> this filter with geronimo, perhaps as a plugin.
> 
>> The try to use
>> org.apache.geronimo.security.ContextManager.getCurrentCaller() (hint  
>> of
>> David Jencks, see
>> http://www.nabble.com/How-to-get-the-active-Subject--td11982332s134.html#a11982332)
>> returns null. Because i use my own filter servlet to watch the web  
>> sites, i
>> don't use any declarative role mapping in web.xml. I had to remove  
>> this
>> because tomcat was not notified about the login.
>>
>> My question is "what do i have to do to make
>> SessionContext.getCallerPrincipal().getName() work. It should not  
>> return
>> "Unauthenticated".
> 
> Unless you use container managed authentication, it actually should  
> return "unauthenticated".  However by hooking into the container  
> managed security system as suggested above you may be able to do what  
> you want.
> 
> Please let us know if this works.
> 
> thanks
> david jencks
> 
>>
>>
>> much thanks in advance
>> -- 
>> View this message in context:
>> http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18336889.html
>> Sent from the Apache Geronimo - Users mailing list archive at  
>> Nabble.com.
>>
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18567104.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.


Mime
View raw message