On Apr 22, 2008, at 6:45 AM, maho77 wrote:
Hello,
I have a standalone client, no jee-application client. Now I want
to login
to the server using JAAS, which works until now. But the only
principal I
get from the subject is a server principal. But I need all
GeronimoGroupPricipals and GeronimoUserPrincipals of the
authneticated user
in the subject on my client, to enable or disable UI elements. I
investigated in the source code but found no solution for this. Is it
possible to get the GeronimoPricipals to the client or can I get
the server
subject in any way?
Currently I have a bean that does the same as the corresponding
SQLRealm. It
provides the user and group depending on the user that is currently
logged
in. But I want to avoid this solution.
Can you give me an hint?
Well, I kind of hope you can't get the server side Subject into your
client :-). Could I suggest that doing so might not be appropriate
from a security standpoint? You don't really know what other
sensitive info might have been added to the Subject. Also, I think
you would be tying your client to a particular login module which
might not be an appropriate coupling.
What I would suggest considering is to have a server component (ejb?)
that maps the principals in the Subject to a set of (String) roles
that are sent back to the client, and that you base the UI stuff on
these roles. It's pretty silly that there isn't a getUserRoles()
call in the ee specs but that is what we have to live with now.
Anyway I think this would prevent accidentally sending sensitive info
to the client, and provide some decoupling between the specific login
module you happen to be using now and your client.
There might be something I've overlooked here, so feel free to try to
change my mind :-)
thanks
david jencks
Mark
--
View this message in context: http://www.nabble.com/JAAS-with-a-
standalone-client-tp16824275s134p16824275.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
