geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juergen Weber <webe...@gmail.com>
Subject Re: security propagation from JAAS context to EJB question
Date Thu, 18 Jun 2009 20:08:02 GMT

David,

yes, you understood right. I want the container to use the currently active
JAAS subject for the EJB call.

But, I had hoped that the container automatically would use the currently
active JAAS subject.
But this seems not be possible, as I have just found explained in this
Websphere docs:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html

Anyway, the API you gave, looks fine, but it seems to be
ContextManager
public static Callers pushNextCaller(Subject nextCaller)

Thanks very much,
Juergen


djencks wrote:
> 
> 
> On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote:
> 
>>
>> Hi,
>>
>> I opened a JAAS LoginContext in a JSP (the JSP runs under
>> <security-constraint>) and called an EJB using a PrivilegedAction  
>> with the
>> resulting subject. It looks like the subject is not propagated to  
>> the EJB.
>> Also it looks like the currently active web user cannot be gotten by  
>> JAAS.
>> So, it looks like there is a separation between Container authority  
>> and
>> JAAS.
>>
>> Is that behaviour OK?
>>
>> (the background of all this is we'd like to use <security- 
>> constraint> for
>> the web app, but the EJB call be with a technical user. Also, the  
>> EJB call
>> is much deeper in the call stack than the authentication of the  
>> technical
>> user, so the call should be in a PrivilegedAction with the subject  
>> bound).
> 
> I don't understand exactly what you are trying to do but maybe you  
> want to authenicate in a jsp rather than using a built in auth  
> method?  And then use the resulting Subject in container managed  
> authorization??
> 
> The way to do this is to use one of the ContextManager.login methods  
> so your Subject gets registered with geronimo, and then tell geronimo  
> to use your Subject with
> 
> ContextManager.setCallers(subject,subject)
> 
> or if you want  to imitate "run-as" functionality
> 
> Callers oldCallers = ContextManager.pushSubject(subject);
> try {
> //dostuff
> } finally {
>    ContextManager.popCallers(oldCallers);
> }
> 
> (hopefully I remembered the method names and sigs rightly)
> 
> hope this helps
> 
> david jencks
>>
>> Thanks,
>> Juergen
>>
>> I have put some comments with System.out output into the code
>>
>> Subject subjectjsp =  
>> Subject.getSubject(AccessController.getContext());
>> System.out.println("JSP subject:" + subjectjsp);
>> // JSP subject:null. Why isn't this the user logged in to the webapp?
>>
>> SimpleCallbackHandler handler = new
>> SimpleCallbackHandler("tomcat","tomcat".toCharArray());
>>
>> LoginContext loginCtx = new LoginContext("geronimo-admin", handler);
>> loginCtx.login();
>> Subject subject = loginCtx.getSubject();
>> Set<Principal> principals = subject.getPrincipals();
>>
>> System.out.println("principals:" + principals);
>> // principals:[tomcat, admin, tomcatgroup]
>>
>> PrivilegedAction action = new PrivilegedAction() {
>>
>> 	public Object run()
>> 	{
>> 		Subject subject = Subject.getSubject(AccessController.getContext());
>> 		
>> 		System.out.println("inner subject:" + subject);
>> 		// inner subject:Subject:
>>                //        Principal: tomcat
>>                //        Principal: admin
>>                //        Principal: tomcatgroup
>>
>> 		Context context;
>> 		try
>> 		{
>> 			context = new InitialContext();
>> 			
>> 			Secured3 secured3 = (Secured3)
>> context.lookup("java:comp/env/ejb/Secured3");
>> 			String secureMethod = secured3.secureMethod("hello");
>> 			System.out.println("secureMethod: " + secureMethod);
>>
>> 		// ctx.getCallerPrincipal():
>> 		// secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009
>> org.apache.openejb.core.stateless.StatelessContext@133b364 you are:
>> org.apache.openejb.core.UnauthenticatedPrincipal@1884ac4
>>
>>
>> -- 
>> View this message in context:
>> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html
>> Sent from the Apache Geronimo - Users mailing list archive at  
>> Nabble.com.
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24099592.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.


Mime
View raw message