[
https://issues.apache.org/jira/browse/GERONIMO-4765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735390#action_12735390
]
David Jencks commented on GERONIMO-4765:
----------------------------------------
If one made an analogy with transactions, where we have container managed
transactions and UserTransaction for application tx control, in security we
have container managed security and this proposal is a bit like the
UserTransaction for security. IIUC you are proposing the more robust technique
of supplying a Runnable containing the work to do rather than asking the caller
to be sure to end the security context.
Although I am not a fan of run-as one feature I do like is that it effectively
provided a symbolic name for an identity somewhat abstracted from the identity.
I wonder if there's any way to abstract the identity here into something more
like a name.
I'm also not sure that Subject is the best candidate for the identity token we
need here. In geronimo today what really gets used for security decisions is
the AccessControlContext computed from the Subject and we might want to use a
collection of principals in the future. (I've been told that there's a quicker
way to get to the security evaluation that going through ACC). So we might
want to come up with a UserIdentity object that contains Subject, ACC, etc etc
and use that instead of the plain Subject.
> API for Assumed Identity (run-as) support
> -----------------------------------------
>
> Key: GERONIMO-4765
> URL: https://issues.apache.org/jira/browse/GERONIMO-4765
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Jürgen Weber
> Fix For: 2.2
>
>
> To programmatically change the currently active subject, at the moment you
> have to use the following Geronimo-proprietary code:
> ContextManager.registerSubject(subject);
> Callers oldCallers = ContextManager.pushNextCaller(subject);
> try
> {
> // secure code
> }
> finally
> {
> ContextManager.popCallers(oldCallers);
> }
> (see
> http://www.nabble.com/NPE-in-ContextManager.getCurrentContext-ts24645453s134.html)
> There should be a simpler (less Geronimo-dependend code) API analog to
> javax.security.auth.Subject.doAs()
> (http://java.sun.com/javase/6/docs/api/javax/security/auth/Subject.html#doAs%28javax.security.auth.Subject,%20java.security.PrivilegedExceptionAction%29)
> This API itself cannot be used, see
> http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html
> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-ts24091806s134.html
> An API for Assumed Identity (run-as) support could be implemented like
> public <T> T doAs(Subject subject, PrivilegedExceptionAction<T> action)
> throws PrivilegedActionException
> {
> T t = null;
> ContextManager.registerSubject(subject);
> Callers oldCallers = ContextManager.pushNextCaller(subject);
> try
> {
> t = action.run();
> }
> catch (Exception e)
> {
> throw new PrivilegedActionException(e);
> }
> finally
> {
> ContextManager.popCallers(oldCallers);
> }
> return t;
> }
> This code could be put into a method of ContextManager or into a new class
> org.apache.geronimo.security.Security.
> This would still create a non-portable dependency to Geronimo in user code.
> You would use it like
> LoginContext lc = new LoginContext("geronimo-admin", handler);
> lc.login();
> Subject subject = lc.getSubject();
> String s = doAs(subject, new PrivilegedExceptionAction<String>()
> {
> public String run() throws Exception
> {
> return null; // secure code
> }
> });
> This would be analogous to similar APIs in Weblogic Server or Websphere AS.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
