Hi, I guess with "run-as semantics" you mean the run-as elements in web.xml and ejb-jar.xml ?
I was writing rather from view of Subject.doas() semantics which I tried to emulate, and from this view I found it odd that the new Subject didn't become immediately active. I checked with Weblogic Server 10.3, with weblogic.security.Security.runAs(subject, new PrivilegedAction()) the new Subject is immediately active in the Action. I guess this would be the same with Big Websphere's WSSubject.doAs(), but I cannot check. So I'd like if https://issues.apache.org/jira/browse/GERONIMO-4765 would be implemented with the same semantics as WLS or WAS. Thanks, Juergen djencks wrote: > > > On Jul 28, 2009, at 4:02 AM, Juergen Weber wrote: > >> >> Hi, >> >> I found that if the code between pushNextCaller and popCallers still >> runs >> with the previous Subject, i.e. >> >> // point A >> Callers oldCallers = ContextManager.pushNextCaller(subject); >> // point B >> System.out.println("getCurrentCaller(): " + >> ContextManager.getCurrentCaller()); >> System.out.println("Subject.getSubject: " + >> Subject.getSubject(ContextManager.getCurrentContext())); >> ContextManager.popCallers(oldCallers); >> >> the println() outputs at B give the same Subject as at A, the pushed >> subject >> is not active until the next called ejb. Being used to the doas() >> semantics >> this is kind of surprising... >> >> Would it be possible to change the behaviour to get the new Subject >> immediately active? > > This stuff is definitely weird and confusing, but is there to support > run-as semantics. Run-as is not explained very well in any spec I've > seen but after long study I think its supposed to work like this: > > Start with identity A > > call component C1 which is configured with run-as identity B > > when you call C1 or ask isUserInRole() in C1 or getUserPrincipal/ > getCallerPrincipal in C1, the answer is derived from A > > If, in C1, you call a further component C2, the permissions for the > operation you want to do, isUserInRole, getUser/CallerPrincipal in C2 > are all determined from the run-as identity B. > > So, ContextManager.push sets up the run-as identity the next component > to be called will use. > > So unless you can convince me my understanding of run-as identities is > wrong we aren't going to change how the push/pop stuff works. It > really isn't intended for use by applications. > > On the other hand, if you want to immediately execute under another > identity you can set both the subjects the context manager tracks > using setCallers. Be sure to restore the previous state when you are > done. > > thanks > david jencks > >> >> Thanks, >> Juergen >> >> >> Juergen Weber wrote: >>> >>> >>> djencks wrote: >>>> >>>> >>>> Geronimo uses the AccessControlContext for the Subject to evaluate >>>> security decisions. So, you need to get Geronimo to compute and >>>> store >>>> this ACC for you. >>>> [..] >>>> >>> >>> Well, the methodname pushNextCaller suggests that it would do that. >>> Anyway, with the code below it works now. >>> >>> This code should be in Geronimo itself, I created GERONIMO-4765. >>> >>> Thanks, >>> Jürgen >>> >>> >>> >>> SimpleCallbackHandler handler = new SimpleCallbackHandler( >>> user, password.toCharArray()); >>> >>> LoginContext lc = new LoginContext("geronimo-admin", handler); >>> lc.login(); >>> >>> Subject subject = lc.getSubject(); >>> System.out.println("lc.getSubject: " + subject); >>> >>> >>> ContextManager.registerSubject(subject); >>> Callers oldCallers = ContextManager.pushNextCaller(subject); >>> try >>> { >>> s1 = secured3Bean.secureMethod(input); >>> } >>> finally >>> { >>> ContextManager.popCallers(oldCallers); >>> } >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/NPE-in-ContextManager.getCurrentContext-tp24645453s134p24697077.html >> Sent from the Apache Geronimo - Users mailing list archive at >> Nabble.com. >> > > -- View this message in context: http://www.nabble.com/NPE-in-ContextManager.getCurrentContext-tp24645453s134p24755733.html Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.