Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE
I'll look into supporting this use case.
>
> I think JAAS security manager definitely needs some
> change. Let's assume situation, that call comes
> with principal "null" and credential "null" - this can
> be ( and is in my context ) legitimate user, with
> some roles defined.
>
> My login module authenticates him, assignes roles and
> updates subject. This subject is returned to
> JaasSecurityManager, and it's happy. When it's happy
> it saves subject information into cache. With a funny
> key of "null" - which was my original principal.
>
> After successfull authentication phase comes
> authorization ( doesUserHaveRole(). Where it
> tries to lookup cached authentication information
> using "null" principal - and of course fails, despite
> the fact that my login module said OK to this.
>
> I propose to add separate storage for "null" principal
> authentication data.
>
> For now I did a quick fix - tweaking principal from
> "null" to SimplePrincipal("nobody") and everything
> works so far...
> regards,
>
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE
--- Scott M Stark <[EMAIL PROTECTED]> wrote:
> The only issue with this is that the
> JaasSecurityManager is not considered
> a public API for which compatability between
> releases is a consideration.
> Your subclass of JaasSecurityManager may not work in
> latter releases.
> The public API for use with JaasSecurityManager is
> simply the JAAS
> login module api.
I think JAAS security manager definitely needs some
change. Let's assume situation, that call comes
with principal "null" and credential "null" - this can
be ( and is in my context ) legitimate user, with
some roles defined.
My login module authenticates him, assignes roles and
updates subject. This subject is returned to
JaasSecurityManager, and it's happy. When it's happy
it saves subject information into cache. With a funny
key of "null" - which was my original principal.
After successfull authentication phase comes
authorization ( doesUserHaveRole(). Where it
tries to lookup cached authentication information
using "null" principal - and of course fails, despite
the fact that my login module said OK to this.
I propose to add separate storage for "null" principal
authentication data.
For now I did a quick fix - tweaking principal from
"null" to SimplePrincipal("nobody") and everything
works so far...
regards,
=
Konstantin Priblouda ( ko5tik )Freelance Software developer
< http://www.pribluda.de > < play java games -> http://www.yook.de >
< render charts online -> http://www.pribluda.de/povray/ >
__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE
The only issue with this is that the JaasSecurityManager is not considered a public API for which compatability between releases is a consideration. Your subclass of JaasSecurityManager may not work in latter releases. The public API for use with JaasSecurityManager is simply the JAAS login module api. - Original Message - From: "Konstantin Priblouda" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 29, 2001 9:59 AM Subject: Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE > > --- Scott M Stark <[EMAIL PROTECTED]> wrote: > > What your doing is correct, that is just a bug in > > the handling of the null > > credential. I have fixed this in main. > > > > In 2.4 there is an ability to set the principal of > > an unauthenticated user, > > but you cannot assign roles to it. It is not for > > allowing unauthenticated > > users access to secured beans. Rather it is for > > assigning the principal > > an unsecured bean would see by obtaining the caller > > principal when > > called by an unauthenticated user. > > > > You could come up with a generic > > UnauthenticatedLoginModule that > > would allow for the specification of the principal > > and roles that could > > be inserted into a domain's login configuration when > > unauthenticated > > users should be given default capabilities. > > I looked at the issue today. What I need is a weirds > dead authentication schema. ( Bug banks like a lot of > security :) ) > > Due of complexity of password and principal > management, I like to handle login via session bean. > ( I have different kinds of users, where different > login contexts ( web contexts ) could possibly have > the same login names. > > So I have principal bean which manages passwords and > is user ID, and of course couple of beans mapping it > to login names. > > Authentication from web context will be done through > session bean (and this will be different context > than ejb security context), and because all beans > require at least some role to be accessed, > I will subclass JAAS security manager to give role > "nobody" even without any credentials/principals > ( what happens when unauthenticated web user tries to > access a bean ) > > Login modules which are used to authenticate web-users > will modify principal to hold ID of principal bean, > and this ID along with password will be propagated > to the ejb security context on EJB invocation. > > Then it will be checked by another login module. > > Do you see any problems with such setup? > > After all I'll try to write short tutorial... > > regards, > > > = > Konstantin Priblouda ( ko5tik )Freelance Software developer > < http://www.pribluda.de > < play java games -> http://www.yook.de > > < render charts online -> http://www.pribluda.de/povray/ > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE
--- Scott M Stark <[EMAIL PROTECTED]> wrote: > What your doing is correct, that is just a bug in > the handling of the null > credential. I have fixed this in main. > > In 2.4 there is an ability to set the principal of > an unauthenticated user, > but you cannot assign roles to it. It is not for > allowing unauthenticated > users access to secured beans. Rather it is for > assigning the principal > an unsecured bean would see by obtaining the caller > principal when > called by an unauthenticated user. > > You could come up with a generic > UnauthenticatedLoginModule that > would allow for the specification of the principal > and roles that could > be inserted into a domain's login configuration when > unauthenticated > users should be given default capabilities. I looked at the issue today. What I need is a weirds dead authentication schema. ( Bug banks like a lot of security :) ) Due of complexity of password and principal management, I like to handle login via session bean. ( I have different kinds of users, where different login contexts ( web contexts ) could possibly have the same login names. So I have principal bean which manages passwords and is user ID, and of course couple of beans mapping it to login names. Authentication from web context will be done through session bean (and this will be different context than ejb security context), and because all beans require at least some role to be accessed, I will subclass JAAS security manager to give role "nobody" even without any credentials/principals ( what happens when unauthenticated web user tries to access a bean ) Login modules which are used to authenticate web-users will modify principal to hold ID of principal bean, and this ID along with password will be propagated to the ejb security context on EJB invocation. Then it will be checked by another login module. Do you see any problems with such setup? After all I'll try to write short tutorial... regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE
What your doing is correct, that is just a bug in the handling of the null credential. I have fixed this in main. In 2.4 there is an ability to set the principal of an unauthenticated user, but you cannot assign roles to it. It is not for allowing unauthenticated users access to secured beans. Rather it is for assigning the principal an unsecured bean would see by obtaining the caller principal when called by an unauthenticated user. You could come up with a generic UnauthenticatedLoginModule that would allow for the specification of the principal and roles that could be inserted into a domain's login configuration when unauthenticated users should be given default capabilities. - Original Message - From: "Konstantin Priblouda" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 28, 2001 11:07 AM Subject: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE > Hi all, > > I try to implement declarative security using Jboss. > Basic idea is to allow unauthenticated access to beans > placed under security domain. > ( and those bean have to be secured ) > > When I attempt access from web context ( or client ) > then container tries to authenticate. > ( principal and credential are of course null ) > > I wrote login module, which authenticates as > principal [say] "nobody" with assigned role "nobody" > under such conditions. > > Everything goes fine on the first bean invocation. > JaasSecurityManager also updates authentication cache. > > > On the second invocation there is an promblem - > authentication cache is there, so isValid() tries > to find information in cache. And it barfs exactly > here: > > if(subjectCredential.getClass().isAssignableFrom(credential.getClass()) > == false ) > ( well , credential is null ) > > And here comes the question: > Is it possible to have some kind of "default" > principal > under "default" role? With configurable behaviour? > Or is there better way to do this? > (disabling security domain on beans is not an option) > > I will patch JaasSecurityManager to my needs for now. > Interested people shall ask for source. > > tia, > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
