In case this helps anybody I got this working now.
Our site has a Valve that checks for valid cookie and if none is found
redirects to a standard authentication screen. The session has a variable added
storing information related to the principal and cookie and the request is
populated with a Principal containing the same information.
My realm then is invoked whenever a role is to be checked. It performs JAAS
authorisation based on the authenticated user (in my case using a different
user key). I really only needed to replace the hasRole method, but the
getSecurityContext method was private so I had to copy it.
The code is as follows:
/**
* An extension of the JBossSecurityMgrRealm that links JBOSS JAAS with Tomcat.
* This extension calls the Authorisation process of the JaasSecurityManager
using
* a principal passed from the Tomcat sign-on via
org.apache.catalina.valves.GdAuthValve.
*
* @author Jim Brady
* @version $Revision: 1 $
*/
public class DbprintJBossSecurityMgrRealm extends JBossSecurityMgrRealm
implements Realm {
static Logger log = Logger.getLogger(DbprintJBossSecurityMgrRealm.class);
/**
* Extension of JBoss JAAS Security Manager for Tomcat that
* adds a JAAS Authorisation call based on the UserPrincipal coming from
* a Tomcat Valve. This reverses the normal causation in JBOSS.
*
* Returns true if the specified user Principal
* has the specified security role, within the context of this
* Realm; otherwise return false. This will be
* true when an associated role Principal can be found whose
* getName method returns a String equalling the
* specified role.
*
* @param principal
* Principal for whom the role is to be checked
* @param role
* Security role to be checked
*/
public boolean hasRole(Principal principal, String role) {
if ((principal == null) || (role == null)) {
return false;
}
if (principal instanceof JBossGenericPrincipal) {
return super.hasRole(principal, role);
} else {
// non-jaas signon - we need to trigger a jaas signon here
log.trace("Got principal of type " + principal.getClass().getName());
log.trace("Got principal of name " + principal.getName());
if (principal instanceof LDAPPrincipal) {
String mailuserid = (String) ((Vector) ((LDAPPrincipal) principal)
.getProperty("mailuserid")).elementAt(0);
log.trace("mailuserid " + mailuserid);
Principal cachePrincipal = authenticate(mailuserid
.toLowerCase(), "");
return super.hasRole(cachePrincipal, role);
} else {
Principal cachePrincipal = authenticate(principal.getName()
.toLowerCase(), "");
return super.hasRole(cachePrincipal, role);
}
}
}
/**
*
* @return JAAS Context
*/
private javax.naming.Context getSecurityContext() {
javax.naming.Context securityCtx = null;
// Get the JBoss security manager from the ENC context
try {
InitialContext iniCtx = new InitialContext();
securityCtx = (javax.naming.Context) iniCtx
.lookup("java:comp/env/security");
} catch (NamingException e) {
// Apparently there is no security context?
}
return securityCtx;
}
}
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3911157#3911157
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3911157
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
