Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 2432 invoked from network); 18 Jun 2009 20:08:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Jun 2009 20:08:22 -0000 Received: (qmail 24908 invoked by uid 500); 18 Jun 2009 20:08:32 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 24875 invoked by uid 500); 18 Jun 2009 20:08:32 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 24867 invoked by uid 99); 18 Jun 2009 20:08:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Jun 2009 20:08:32 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates 216.139.236.158 as permitted sender) Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Jun 2009 20:08:23 +0000 Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MHNty-0007jo-GS for user@geronimo.apache.org; Thu, 18 Jun 2009 13:08:02 -0700 Message-ID: <24099592.post@talk.nabble.com> Date: Thu, 18 Jun 2009 13:08:02 -0700 (PDT) From: Juergen Weber To: user@geronimo.apache.org Subject: Re: security propagation from JAAS context to EJB question In-Reply-To: <0B776BE3-C389-4F72-A586-84CA310CC84E@yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: weberjn@gmail.com References: <24091806.post@talk.nabble.com> <0B776BE3-C389-4F72-A586-84CA310CC84E@yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org David, yes, you understood right. I want the container to use the currently active JAAS subject for the EJB call. But, I had hoped that the container automatically would use the currently active JAAS subject. But this seems not be possible, as I have just found explained in this Websphere docs: http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html Anyway, the API you gave, looks fine, but it seems to be ContextManager public static Callers pushNextCaller(Subject nextCaller) Thanks very much, Juergen djencks wrote: > > > On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote: > >> >> Hi, >> >> I opened a JAAS LoginContext in a JSP (the JSP runs under >> ) and called an EJB using a PrivilegedAction >> with the >> resulting subject. It looks like the subject is not propagated to >> the EJB. >> Also it looks like the currently active web user cannot be gotten by >> JAAS. >> So, it looks like there is a separation between Container authority >> and >> JAAS. >> >> Is that behaviour OK? >> >> (the background of all this is we'd like to use > constraint> for >> the web app, but the EJB call be with a technical user. Also, the >> EJB call >> is much deeper in the call stack than the authentication of the >> technical >> user, so the call should be in a PrivilegedAction with the subject >> bound). > > I don't understand exactly what you are trying to do but maybe you > want to authenicate in a jsp rather than using a built in auth > method? And then use the resulting Subject in container managed > authorization?? > > The way to do this is to use one of the ContextManager.login methods > so your Subject gets registered with geronimo, and then tell geronimo > to use your Subject with > > ContextManager.setCallers(subject,subject) > > or if you want to imitate "run-as" functionality > > Callers oldCallers = ContextManager.pushSubject(subject); > try { > //dostuff > } finally { > ContextManager.popCallers(oldCallers); > } > > (hopefully I remembered the method names and sigs rightly) > > hope this helps > > david jencks >> >> Thanks, >> Juergen >> >> I have put some comments with System.out output into the code >> >> Subject subjectjsp = >> Subject.getSubject(AccessController.getContext()); >> System.out.println("JSP subject:" + subjectjsp); >> // JSP subject:null. Why isn't this the user logged in to the webapp? >> >> SimpleCallbackHandler handler = new >> SimpleCallbackHandler("tomcat","tomcat".toCharArray()); >> >> LoginContext loginCtx = new LoginContext("geronimo-admin", handler); >> loginCtx.login(); >> Subject subject = loginCtx.getSubject(); >> Set principals = subject.getPrincipals(); >> >> System.out.println("principals:" + principals); >> // principals:[tomcat, admin, tomcatgroup] >> >> PrivilegedAction action = new PrivilegedAction() { >> >> public Object run() >> { >> Subject subject = Subject.getSubject(AccessController.getContext()); >> >> System.out.println("inner subject:" + subject); >> // inner subject:Subject: >> // Principal: tomcat >> // Principal: admin >> // Principal: tomcatgroup >> >> Context context; >> try >> { >> context = new InitialContext(); >> >> Secured3 secured3 = (Secured3) >> context.lookup("java:comp/env/ejb/Secured3"); >> String secureMethod = secured3.secureMethod("hello"); >> System.out.println("secureMethod: " + secureMethod); >> >> // ctx.getCallerPrincipal(): >> // secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009 >> org.apache.openejb.core.stateless.StatelessContext@133b364 you are: >> org.apache.openejb.core.UnauthenticatedPrincipal@1884ac4 >> >> >> -- >> View this message in context: >> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html >> Sent from the Apache Geronimo - Users mailing list archive at >> Nabble.com. >> > > -- View this message in context: http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24099592.html Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.