Apache Geronimo > Discussion Forums  User List | Dev List | Wiki | Issue Tracker  
Geronimo
 » 
Apache Geronimo - Users

 « Return to Thread: security propagation from JAAS context to EJB question

Re: security propagation from JAAS context to EJB question

by djencks :: Rate this Message:

Reply to Author | View in Thread


On Jun 18, 2009, at 1:08 PM, Juergen Weber wrote:

>
> David,
>
> yes, you understood right. I want the container to use the currently  
> active
> JAAS subject for the EJB call.
>
> But, I had hoped that the container automatically would use the  
> currently
> active JAAS subject.
> But this seems not be possible, as I have just found explained in this
> Websphere docs:
> http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html

That applies more to big was than geronmo/was ce....

However, my experience, in line with what I can understand from that  
article, is that the jdk Subject-thread association is extremely  
unreliable.  The last time I experimented with it a few years ago,  
Subject.doAs() worked OK but on return there was no Subject associated  
with the current thread.

In general I would try to always use the javaee security mechanisms  
and not try to do low-level JAAS security stuff in your app such as  
the Subject.doAs().  Mixing container managed and app managed security  
can be risky :-)

AFAIK every server uses its own ThreadLocal scheme to associate  
Subjects and threads.... geronimo's is the ContextManager.

thanks
david jencks

>
> Anyway, the API you gave, looks fine, but it seems to be
> ContextManager
> public static Callers pushNextCaller(Subject nextCaller)
>
> Thanks very much,
> Juergen
>
>
> djencks wrote:
>>
>>
>> On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote:
>>
>>>
>>> Hi,
>>>
>>> I opened a JAAS LoginContext in a JSP (the JSP runs under
>>> <security-constraint>) and called an EJB using a PrivilegedAction
>>> with the
>>> resulting subject. It looks like the subject is not propagated to
>>> the EJB.
>>> Also it looks like the currently active web user cannot be gotten by
>>> JAAS.
>>> So, it looks like there is a separation between Container authority
>>> and
>>> JAAS.
>>>
>>> Is that behaviour OK?
>>>
>>> (the background of all this is we'd like to use <security-
>>> constraint> for
>>> the web app, but the EJB call be with a technical user. Also, the
>>> EJB call
>>> is much deeper in the call stack than the authentication of the
>>> technical
>>> user, so the call should be in a PrivilegedAction with the subject
>>> bound).
>>
>> I don't understand exactly what you are trying to do but maybe you
>> want to authenicate in a jsp rather than using a built in auth
>> method?  And then use the resulting Subject in container managed
>> authorization??
>>
>> The way to do this is to use one of the ContextManager.login methods
>> so your Subject gets registered with geronimo, and then tell geronimo
>> to use your Subject with
>>
>> ContextManager.setCallers(subject,subject)
>>
>> or if you want  to imitate "run-as" functionality
>>
>> Callers oldCallers = ContextManager.pushSubject(subject);
>> try {
>> //dostuff
>> } finally {
>>   ContextManager.popCallers(oldCallers);
>> }
>>
>> (hopefully I remembered the method names and sigs rightly)
>>
>> hope this helps
>>
>> david jencks
>>>
>>> Thanks,
>>> Juergen
>>>
>>> I have put some comments with System.out output into the code
>>>
>>> Subject subjectjsp =
>>> Subject.getSubject(AccessController.getContext());
>>> System.out.println("JSP subject:" + subjectjsp);
>>> // JSP subject:null. Why isn't this the user logged in to the  
>>> webapp?
>>>
>>> SimpleCallbackHandler handler = new
>>> SimpleCallbackHandler("tomcat","tomcat".toCharArray());
>>>
>>> LoginContext loginCtx = new LoginContext("geronimo-admin", handler);
>>> loginCtx.login();
>>> Subject subject = loginCtx.getSubject();
>>> Set<Principal> principals = subject.getPrincipals();
>>>
>>> System.out.println("principals:" + principals);
>>> // principals:[tomcat, admin, tomcatgroup]
>>>
>>> PrivilegedAction action = new PrivilegedAction() {
>>>
>>> public Object run()
>>> {
>>> Subject subject =  
>>> Subject.getSubject(AccessController.getContext());
>>>
>>> System.out.println("inner subject:" + subject);
>>> // inner subject:Subject:
>>>               //        Principal: tomcat
>>>               //        Principal: admin
>>>               //        Principal: tomcatgroup
>>>
>>> Context context;
>>> try
>>> {
>>> context = new InitialContext();
>>>
>>> Secured3 secured3 = (Secured3)
>>> context.lookup("java:comp/env/ejb/Secured3");
>>> String secureMethod = secured3.secureMethod("hello");
>>> System.out.println("secureMethod: " + secureMethod);
>>>
>>> // ctx.getCallerPrincipal():
>>> // secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009
>>> org.apache.openejb.core.stateless.StatelessContext@133b364 you are:
>>> org.apache.openejb.core.UnauthenticatedPrincipal@1884ac4
>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html
>>> Sent from the Apache Geronimo - Users mailing list archive at
>>> Nabble.com.
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24099592.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>

 « Return to Thread: security propagation from JAAS context to EJB question

Free embeddable forum powered by Nabble Forum Help