RE: [gt-user] (How?) Does JaasSubject.doAs() work??

Thu, 04 Oct 2007 08:06:19 -0700 

How does local user name get changed here? The invocation only sets up the
delegated credentials, so any WS invocation you do from test() will have the
caller’s credential, but not the local account the caller is mapped to.

 

We use gridmap files to map from caller to local user name and some of the
higher level services explicitly use sudo to change to the local user
account. So unless you have a security manager with some policy that
explicitly determines the local user account to use for file creation, you
will not see the file created as delegated user. 

 

BTW, you can use the security descriptor configuration to automatically set
up caller’s credential as the invocation credential by using the run-as
configuration property.  For GT 4.0.x, here is the configuration:

 

http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descript
or.html#s-authzframe-secdesc-configRunas

 

Hope this helps,

Rachana

 

  _____  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of [EMAIL PROTECTED]
Sent: Wednesday, October 03, 2007 4:52 PM
To: [email protected]
Subject: [gt-user] (How?) Does JaasSubject.doAs() work??

 

Hello,

 

I try to create a file in a webservice. The problem is that the file has to
have the owner of the delegated credential. I thought I can do it somehow
with the JaasSubject, but the file owner is always globus. 

 

thx pod69 

 

public void test() throws IOException, GSSException{
             SecurityManager.getManager().setServiceOwnerFromContext();

             org.apache.axis.MessageContext mctx =
org.apache.axis.MessageContext.getCurrentContext();
             SecurityManager manager = SecurityManager.getManager(mctx);
             Subject subject = (Subject)
mctx.getProperty(Constants.INVOCATION_SUBJECT);
             System.out.println(mctx.getUsername());
             JaasSubject.doAs(subject, new ExampleAction());
}

  class ExampleAction implements java.security.PrivilegedAction {
            public Object run() {
                    File file=null;
                try {
                    file = new File("/tmp/test");
                
                    // Create file if it does not exist
                    boolean success = file.createNewFile();
                    if (success) {
                        // File did not exist and was created
                    } else {
                        // File already exists
                    }
                } catch (IOException e) {
                }
                return null;
            }
        }

 

 




-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger

Reply via email to