Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 83208 invoked from network); 18 Jun 2009 16:57:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Jun 2009 16:57:52 -0000 Received: (qmail 58411 invoked by uid 500); 18 Jun 2009 16:58:03 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 58366 invoked by uid 500); 18 Jun 2009 16:58:03 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 58358 invoked by uid 99); 18 Jun 2009 16:58:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Jun 2009 16:58:03 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=SPF_PASS,UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [98.136.44.55] (HELO smtp110.prem.mail.sp1.yahoo.com) (98.136.44.55) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 18 Jun 2009 16:57:52 +0000 Received: (qmail 71967 invoked from network); 18 Jun 2009 16:57:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=WVOwbnlok4niPGz4P1WGlmB+qGk+vKkNApylP2cH5uJST5wq0qyi2KzpUn9S13vXQVVjGz0wfsD8Fvz2CvldaLCdHjgz5PtR24mY0mqBCWPMOgntguDrv5uZTF3ANIqWuJDMDKBGth++BGLH11lmaR2Tg1i1tG2B6Uq08m+aPpQ= ; Received: from 076-076-148-215.pdx.net (david_jencks@76.76.148.215 with plain) by smtp110.prem.mail.sp1.yahoo.com with SMTP; 18 Jun 2009 09:57:30 -0700 PDT X-Yahoo-SMTP: .9oIUzyswBANsYgUm_5uPui0skTnzGJXJQ-- X-YMail-OSG: v5ccpx0VM1n1j3OJyJwNYEIpjjc2JS7MvDVE8aFGybRt0mvl84e0wjLFbBDkIzXaIq5TdY464kbFO..OwA578g.l420b8ub5gXH0Jqw3WWwtBmR.hsfqbmj6ifPyNei0ZMk8wl0.25NUBpkKgThsdPdv34OQ5G2VO3PvyoQHhS8JLo_l9unNhlYjjLvdQXXJLyC9PtU.WMQg4vzD4v5OfYxWDLm0.M9WwyrUeuza1hhEUuwkEQsmCGVux3igQMYS9Qa5ElJPAXSiP2iU4XJ2V1n8Zp4VE1jJCQH74UfZ._kZIRI7UaIbKstrIgZYSO0FfLgs3Guo9DiQMaqLxupG X-Yahoo-Newman-Property: ymail-3 Message-Id: <0B776BE3-C389-4F72-A586-84CA310CC84E@yahoo.com> From: David Jencks To: user@geronimo.apache.org In-Reply-To: <24091806.post@talk.nabble.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: security propagation from JAAS context to EJB question Date: Thu, 18 Jun 2009 09:57:28 -0700 References: <24091806.post@talk.nabble.com> X-Mailer: Apple Mail (2.935.3) X-Virus-Checked: Checked by ClamAV on apache.org On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote: > > Hi, > > I opened a JAAS LoginContext in a JSP (the JSP runs under > ) and called an EJB using a PrivilegedAction > with the > resulting subject. It looks like the subject is not propagated to > the EJB. > Also it looks like the currently active web user cannot be gotten by > JAAS. > So, it looks like there is a separation between Container authority > and > JAAS. > > Is that behaviour OK? > > (the background of all this is we'd like to use constraint> for > the web app, but the EJB call be with a technical user. Also, the > EJB call > is much deeper in the call stack than the authentication of the > technical > user, so the call should be in a PrivilegedAction with the subject > bound). I don't understand exactly what you are trying to do but maybe you want to authenicate in a jsp rather than using a built in auth method? And then use the resulting Subject in container managed authorization?? The way to do this is to use one of the ContextManager.login methods so your Subject gets registered with geronimo, and then tell geronimo to use your Subject with ContextManager.setCallers(subject,subject) or if you want to imitate "run-as" functionality Callers oldCallers = ContextManager.pushSubject(subject); try { //dostuff } finally { ContextManager.popCallers(oldCallers); } (hopefully I remembered the method names and sigs rightly) hope this helps david jencks > > Thanks, > Juergen > > I have put some comments with System.out output into the code > > Subject subjectjsp = > Subject.getSubject(AccessController.getContext()); > System.out.println("JSP subject:" + subjectjsp); > // JSP subject:null. Why isn't this the user logged in to the webapp? > > SimpleCallbackHandler handler = new > SimpleCallbackHandler("tomcat","tomcat".toCharArray()); > > LoginContext loginCtx = new LoginContext("geronimo-admin", handler); > loginCtx.login(); > Subject subject = loginCtx.getSubject(); > Set principals = subject.getPrincipals(); > > System.out.println("principals:" + principals); > // principals:[tomcat, admin, tomcatgroup] > > PrivilegedAction action = new PrivilegedAction() { > > public Object run() > { > Subject subject = Subject.getSubject(AccessController.getContext()); > > System.out.println("inner subject:" + subject); > // inner subject:Subject: > // Principal: tomcat > // Principal: admin > // Principal: tomcatgroup > > Context context; > try > { > context = new InitialContext(); > > Secured3 secured3 = (Secured3) > context.lookup("java:comp/env/ejb/Secured3"); > String secureMethod = secured3.secureMethod("hello"); > System.out.println("secureMethod: " + secureMethod); > > // ctx.getCallerPrincipal(): > // secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009 > org.apache.openejb.core.stateless.StatelessContext@133b364 you are: > org.apache.openejb.core.UnauthenticatedPrincipal@1884ac4 > > > -- > View this message in context: http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html > Sent from the Apache Geronimo - Users mailing list archive at > Nabble.com. >