Apache Geronimo > Discussion Forums  User List | Dev List | Wiki | Issue Tracker  
Apache
 » 
Geronimo
 » 
Apache Geronimo - Users

 « Return to Thread: security propagation from JAAS context to EJB question

security propagation from JAAS context to EJB question

by Juergen Weber :: Rate this Message:

Reply to Author | View in Thread

Hi,

I opened a JAAS LoginContext in a JSP (the JSP runs under <security-constraint>) and called an EJB using a PrivilegedAction with the resulting subject. It looks like the subject is not propagated to the EJB. Also it looks like the currently active web user cannot be gotten by JAAS.
So, it looks like there is a separation between Container authority and JAAS.

Is that behaviour OK?

(the background of all this is we'd like to use <security-constraint> for the web app, but the EJB call be with a technical user. Also, the EJB call is much deeper in the call stack than the authentication of the technical user, so the call should be in a PrivilegedAction with the subject bound).

Thanks,
Juergen

I have put some comments with System.out output into the code

Subject subjectjsp = Subject.getSubject(AccessController.getContext());
System.out.println("JSP subject:" + subjectjsp);
// JSP subject:null. Why isn't this the user logged in to the webapp?

SimpleCallbackHandler handler = new SimpleCallbackHandler("tomcat","tomcat".toCharArray());

LoginContext loginCtx = new LoginContext("geronimo-admin", handler);
loginCtx.login();
Subject subject = loginCtx.getSubject();
Set<Principal> principals = subject.getPrincipals();

System.out.println("principals:" + principals);
// principals:[tomcat, admin, tomcatgroup]

PrivilegedAction action = new PrivilegedAction() {

        public Object run()
        {
                Subject subject = Subject.getSubject(AccessController.getContext());
               
                System.out.println("inner subject:" + subject);
                // inner subject:Subject:
                //        Principal: tomcat
                //        Principal: admin
                //        Principal: tomcatgroup

                Context context;
                try
                {
                        context = new InitialContext();
                       
                        Secured3 secured3 = (Secured3) context.lookup("java:comp/env/ejb/Secured3");
                        String secureMethod = secured3.secureMethod("hello");
                        System.out.println("secureMethod: " + secureMethod);

                // ctx.getCallerPrincipal():
                // secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009 org.apache.openejb.core.stateless.StatelessContext@133b364 you are: org.apache.openejb.core.UnauthenticatedPrincipal@1884ac4

 « Return to Thread: security propagation from JAAS context to EJB question

Free embeddable forum powered by Nabble Forum Help