On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote:
Hi,
I opened a JAAS LoginContext in a JSP (the JSP runs under
<security-constraint>) and called an EJB using a PrivilegedAction
with the
resulting subject. It looks like the subject is not propagated to
the EJB.
Also it looks like the currently active web user cannot be gotten by
JAAS.
So, it looks like there is a separation between Container authority
and
JAAS.
Is that behaviour OK?
(the background of all this is we'd like to use <security-
constraint> for
the web app, but the EJB call be with a technical user. Also, the
EJB call
is much deeper in the call stack than the authentication of the
technical
user, so the call should be in a PrivilegedAction with the subject
bound).
I don't understand exactly what you are trying to do but maybe you
want to authenicate in a jsp rather than using a built in auth
method? And then use the resulting Subject in container managed
authorization??
The way to do this is to use one of the ContextManager.login methods
so your Subject gets registered with geronimo, and then tell geronimo
to use your Subject with
ContextManager.setCallers(subject,subject)
or if you want to imitate "run-as" functionality
Callers oldCallers = ContextManager.pushSubject(subject);
try {
//dostuff
} finally {
ContextManager.popCallers(oldCallers);
}
(hopefully I remembered the method names and sigs rightly)
hope this helps
david jencks
Thanks,
Juergen
I have put some comments with System.out output into the code
Subject subjectjsp =
Subject.getSubject(AccessController.getContext());
System.out.println("JSP subject:" + subjectjsp);
// JSP subject:null. Why isn't this the user logged in to the webapp?
SimpleCallbackHandler handler = new
SimpleCallbackHandler("tomcat","tomcat".toCharArray());
LoginContext loginCtx = new LoginContext("geronimo-admin", handler);
loginCtx.login();
Subject subject = loginCtx.getSubject();
Set<Principal> principals = subject.getPrincipals();
System.out.println("principals:" + principals);
// principals:[tomcat, admin, tomcatgroup]
PrivilegedAction action = new PrivilegedAction() {
public Object run()
{
Subject subject =
Subject.getSubject(AccessController.getContext());
System.out.println("inner subject:" + subject);
// inner subject:Subject:
// Principal: tomcat
// Principal: admin
// Principal: tomcatgroup
Context context;
try
{
context = new InitialContext();
Secured3 secured3 = (Secured3)
context.lookup("java:comp/env/ejb/Secured3");
String secureMethod = secured3.secureMethod("hello");
System.out.println("secureMethod: " + secureMethod);
// ctx.getCallerPrincipal():
// secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009
org.apache.openejb.core.stateless.statelesscont...@133b364 you are:
org.apache.openejb.core.unauthenticatedprinci...@1884ac4
--
View this message in context:
http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.