Hi
I am experiencing following behaviour when using custom JACC provider with
4.0.3 (I have done configuration JaasAuthenticationInterceptor,
JaccAuthorizationInterceptor JBoss plugins, JaccAuthorizationRealm in Tomcat
sar, and other settings for JACC provider):
1a) during call from a "runAs" configured EJB to another EJB the
javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container")
method returns subject populated with a SimplePrincipal that contains the
"runAs" role name, not the "runAs" principal configured in jboss.xml for the
EJB.
1b) during call from a "runAs" configured servlet to EJB the
javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container")
method returns subject with no principal although the servlet has the "runAs"
principal configured in jboss-web.xml.
However the internal SecurityAssociation.getCallerPrincipal() does return the
configured "runAs" principal at least in the EJB container.
JACC 1.0 specification chapter 4.6.1.1 says caller's or runAs identity should
be returned, but I am not sure what is meant by it. I am trying to control
access to components based on identity, e.g. username of the user that is
authenticated and in case of "runAs" on the principal configured for the
"runAs" role.
2) when EJBContext.getCallerPrincipal() is called in an EJB that is called from
an EJB with configured "runAs" role the principal I am getting is the principal
that has authenticated to the container, not the principal associated with the
"runAs" role. However, if the caller is NOT authenticated to the EJB container
the same call returns principal that IS associated with the "runAs" role. I am
using custom login module not inherited from JBoss abstract login modules.
3) the call to SessionContext.isCallerInRole(String roleName) does not consult
the JACC provider. IMO it should check for the EJBRoleRefPermission. The
servlet container seems to be working OK, i.e. the call to
HttpServletRequest.isUserInRole(String role) consults the JACC provider for
WebRoleRefPermission.
A.K.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3911662#3911662
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3911662
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
