[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
Thanks for all you're help but I already read that topic and applied it to my own
LoginModule.
I will try to be more clear now:
This is the isMember(Principal member) method I wrote in my custom Group class.
| public class MyGroup extends MyPrincipal implements Group {
|
| ...
|
|public boolean isMember(Principal member) {
| MyPrincipal callerPrincipal =
getCallerPrincipal(SecurityAssociation.getSubject());
| String company = callerPrincipal.getCompany();
| if (com1.equals(company)) {
| return members.contains(member);
| }
| return false;
|}
|
|private MyPrincipal getCallerPrincipal(Subject subject) {
| Set subjectGroups = subject.getPrincipals(Group.class);
| Iterator iter = subjectGroups.iterator();
| while (iter.hasNext()) {
| Group grp = (Group) iter.next();
| String name = grp.getName();
| if (name.equals(CallerPrincipal)) {
| Enumeration members = grp.members();
| if (members.hasMoreElements()) {
|Principal principal = (Principal) members.nextElement();
|if (principal instanceof MyPrincipal) {
| return (MyPrincipal) principal;
|}
| }
| }
| }
| return null;
|}
|
| ...
|
| }
|
This works fine but what I don't like in my code is the way I retrieve the current
Subject.
SecurityAssociation.getSubject()
It would be nice to let the JAAS implementation of JBoss handle this.
My quote in the firste message of this topic.
anonymous wrote :
| I can think to 2 other ways but don't know how to configure/program them:
| 1) The Subject contains a authenticated user and for every company the Subject
contains a different Roles-group. And only the Roles-group the user is currently
interested in is check if it contains the right role.
| Or
| 2) For every user/company combination a different Subject is created containing
the correct Roles.
|
An other thing I don't like in my solution is that I use javax.servlet.Filter to add
the company to my MyPrincipal. The problem here is that the authentication /
authorization is handled before the filter is applied to the request. This results in
a situation where I have to do a second authorization step (request) to check if the
user is really authorized to see the resource.
Maybe the only solution is to write my own JAAS implementation but I would like to
make use as much as possible from the existing JAAS implementation in JBoss. I don't
want to reinvent the wheel.
I hope you can understand me better now and maybe have a good idea, otherwise I stay
with my current implementation an get used to the drawbacks.
Thanks a lot, Cees van Wieringen.
View the original post :
http://www.jboss.org/index.html?module=bbop=viewtopicp=3842178#3842178
Reply to the post :
http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842178
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
I have a problem similar to yours and I resolved it just modifying the query used for getting roles in the login-config.xml/DatabaseServerLoginModule. | module-option name=rolesQueryselect id_servicio, 'Roles' from bd.registro where id_usuario=? AND id_website=1 AND (fecha_fin = NOW() OR fecha_fin IS NULL)/module-option | View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841976#3841976 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841976 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
Thank you for your reply but for me this isn't the solution, cause if have a dynamic company. In your solution only the 'id_usuario' can be replaced, what I would like to have is a database query like this: select roles from userroles where userid=? AND company=? In this query both userid and company have to be inserted into the query and in the DatabaseServerLoginModule only the userid (principal name) get inserted. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3842103#3842103 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842103 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
That's correct I wrote my own getRoleSets() and I can get al the roles for every company for that user, but when the users authorization is checked the boolean isMember(Principal member) method of the Group is called here is where I need to check if the user has the correct role for that company. I only know which role is needed but I don't know for which company the role is required. Simply said I would like to have something like: boolean isMember(Principal member, String company) but that not possible, cause JAAS doesn't support it :-). I also have already a solution see my first message at the top of this topic but it's not a nice one in my opion. I'm looking if somebody knows a better way to achieve my goal. In my solution I modified the isMember-method in MyGroup and retrieve the current Subject that is trying to authenticate and from this subject I retrieve the CallerPrincipal in which I placed the company (in the tomcat environment using a Filter) the current user is interrested in. Still this isn't 100% correct because the authentication/authorization is performed first and after this is succeded the filter is applied to the request, this result that only the second time a user is authorizated I can retrieve the company name. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3842121#3842121 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842121 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
ok. i thinlk i get it now. the same user can be in multiple companies? If you kept the same solution but used a custom principal that contained all of the companies the princilpal then you would just have to check to see if company was contained the principal. See the thread about Custom Principals about 3 weeks back. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3842145#3842145 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842145 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Roles dependent on username and a company.
If you wrote your own CustomLogin Module did you not write your own protected Group[] getRoleSets(). That would allow you the query you wish. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3842105#3842105 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842105 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
