Re: LoginDomains and automapping

[Jeff Genender]

Ok, then this is my mistake.  I assumed you were filling in the Subject 
with the principals, but as I re-read, I saw what you were saying, 
regarding the necessity to continue to call 
ContextManager.getServerSideSubject.

I have some code that Alan and I worked on in the JaasLoginCoordinator 
that populates the subject with the principals that I *think* does the 
"automagically" you referred to in the previous email.  I had the 
JaasLoginService.serverLoginModuleCommit() return a Collection of 
Principals, and then I set these principals in the Subject in the 
JaasLoginCoordinator.ServerLoginModule.commit(), very similarly as the 
ClientLoginModule.  So I believe that in the same JVM, this may do as 
what you stated below.  I have included the patch which we have come up 
with thus far.  This is only for you guys to look at as I have not run 
the unit tests for this yet.

If I am off base here, please set me straight.  I am new to this code 
and am just getting my feet wet in seeing what its doing, so I may end 
up in a few dead ends.

Let me know if you would like me to continue down this path, and I can 
write the unit tests for it and submit the changes.

Jeff
Here is the patch:
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
       (revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java 
       (working copy)
@@ -210,7 +210,13 @@
         }

         public boolean commit() throws LoginException {
-            return service.serverLoginModuleCommit(client, index);
+            Collection c =  service.serverLoginModuleCommit(client, index);
+            if (c == null)
+                return false;
+
+            subject.getPrincipals().addAll(c);
+
+            return true;
         }
         public boolean abort() throws LoginException {
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
===================================================================
--- src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(revision 106054)
+++ src/java/org/apache/geronimo/security/jaas/JaasLoginService.java 
(working copy)
@@ -260,7 +260,7 @@
      * once for each server-side login module that was processed 
before the
      * overall authentication succeeded.
      */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException {
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException {
         JaasSecurityContext context = (JaasSecurityContext) 
activeLogins.get(userIdentifier);
         if(context == null) {
             throw new ExpiredLoginModuleException();
@@ -270,8 +270,16 @@
         }
         JaasLoginModuleConfiguration module = 
context.getModules()[loginModuleIndex];
         boolean result = module.getLoginModule(classLoader).commit();
+
+        if (!result)
+            return null;
+
         context.processPrincipals();
-        return result;
+        Subject s = context.getSubject();
+        if (s == null)
+            return null;
+
+        return s.getPrincipals();
     }

     /**
Index: src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
===================================================================
--- 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
  (revision 106054)
+++ 
src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java 
  (working copy)
@@ -110,7 +110,7 @@
      * once for each server-side login module that was processed 
before the
      * overall authentication succeeded.
      */
-    public boolean serverLoginModuleCommit(JaasClientId userIdentifier, 
int loginModuleIndex) throws LoginException;
+    public Collection serverLoginModuleCommit(JaasClientId 
userIdentifier, int loginModuleIndex) throws LoginException;

     /**
      * Indicates that the overall login succeeded.  All login modules 
that were

Aaron Mulder wrote:
On Mon, 22 Nov 2004, Jeff Genender wrote:
This is good...this should get the raw Tomcat JAASRealm to work for 
authorization.  I just coded up a special JAASTomcatRealm that called 
the ContextManager.getServerSideSubject and now I can ditch it since it 
looks like the JaasLoginCoordinator is populating the subject.

	I'm not sure you're right -- the JAASTomcatRealm should be using 
RealmPrincipals, which are not currently returned.  I need to talk this 
over with Alan:

Alan D. Cabrera wrote:
I think that we should return the realm principals as well for all the
same reasons that we have realm principals in the first place.

	Last time we talked you wanted to return everything except the 
RealmPrincipals...  why the change of heart?

        What if we change the JaasLoginCoordinator to load the
RealmPrincipals if it is used within the same JVM as the server, but not
if it connects over the network?  That may be the best balance of "give
other server components what they neeed" and "don't expose Geronimo
security internals to clients".
Aaron