Aaron,
Thanks for the reply. I took the JAASRealm code from Tomcat, and made a
Geronimo version which makes a call to ContextManager.getServerSideSubject
after obtaining the subject. I will test this when I get home tonight.
I very interested in discussing the long term approach with you as I would
like to begin thinking in this direction.
Thanks for the input, it is appreciated.
Jeff
> Jeff,
> According to a conversating I just had with Alan, the other
> container modules use a method of authorization with JACC that doesn't
> require the containers to access all the principals. Basically, they just
> give JACC the Subject containing an IdentificationPrincipal (which you
> have), and our JACC implementation looks up the proper Subject and does
> the calculations all on its side.
>
> Alan thought that maybe Tomcat does authorization differently
> (using Subject.doAs), in which case Tomcat would specifically need all the
> RealmPrincipals to be present. However, as that appears to be fairly
> slow, it's not ideal anyway.
>
> So in the short term, you should probably try to insert a call to
> ContextManager.getServerSideSubject which will get you all the
> RealmPrincipals too. If you really have trouble inserting the call in
> there, worst case, you could create a wrapper LoginModule that calls our
> JaasLoginCoordinator LoginModule and then calls
> ContextManager.getServerSideSubject and writes all the RealmPrincipals
> into the Subject that will be returned to the caller. In the long term,
> we'd like to adjust the interface between Tomcat and Geronimo to use a
> different authorization method, which will mean the RealmPrincipals are no
> longer necessary.
>
> Aaron
>
> On Tue, 23 Nov 2004, Jeff Genender wrote:
>> Ok, then this is my mistake. I assumed you were filling in the Subject
>> with the principals, but as I re-read, I saw what you were saying,
>> regarding the necessity to continue to call
>> ContextManager.getServerSideSubject.
>>
>> I have some code that Alan and I worked on in the JaasLoginCoordinator
>> that populates the subject with the principals that I *think* does the
>> "automagically" you referred to in the previous email. I had the
>> JaasLoginService.serverLoginModuleCommit() return a Collection of
>> Principals, and then I set these principals in the Subject in the
>> JaasLoginCoordinator.ServerLoginModule.commit(), very similarly as the
>> ClientLoginModule. So I believe that in the same JVM, this may do as
>> what you stated below. I have included the patch which we have come up
>> with thus far. This is only for you guys to look at as I have not run
>> the unit tests for this yet.
>>
>> If I am off base here, please set me straight. I am new to this code
>> and am just getting my feet wet in seeing what its doing, so I may end
>> up in a few dead ends.
>>
>> Let me know if you would like me to continue down this path, and I can
>> write the unit tests for it and submit the changes.
>>
>> Jeff
>>
>> Here is the patch:
>>
>> Index:
>> src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>> ===================================================================
>> --- src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>> (revision 106054)
>> +++ src/java/org/apache/geronimo/security/jaas/JaasLoginCoordinator.java
>> (working copy)
>> @@ -210,7 +210,13 @@
>> }
>>
>> public boolean commit() throws LoginException {
>> - return service.serverLoginModuleCommit(client, index);
>> + Collection c = service.serverLoginModuleCommit(client,
>> index);
>> + if (c == null)
>> + return false;
>> +
>> + subject.getPrincipals().addAll(c);
>> +
>> + return true;
>> }
>>
>> public boolean abort() throws LoginException {
>> Index: src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> ===================================================================
>> --- src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> (revision 106054)
>> +++ src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
>> (working copy)
>> @@ -260,7 +260,7 @@
>> * once for each server-side login module that was processed
>> before the
>> * overall authentication succeeded.
>> */
>> - public boolean serverLoginModuleCommit(JaasClientId userIdentifier,
>> int loginModuleIndex) throws LoginException {
>> + public Collection serverLoginModuleCommit(JaasClientId
>> userIdentifier, int loginModuleIndex) throws LoginException {
>> JaasSecurityContext context = (JaasSecurityContext)
>> activeLogins.get(userIdentifier);
>> if(context == null) {
>> throw new ExpiredLoginModuleException();
>> @@ -270,8 +270,16 @@
>> }
>> JaasLoginModuleConfiguration module =
>> context.getModules()[loginModuleIndex];
>> boolean result = module.getLoginModule(classLoader).commit();
>> +
>> + if (!result)
>> + return null;
>> +
>> context.processPrincipals();
>> - return result;
>> + Subject s = context.getSubject();
>> + if (s == null)
>> + return null;
>> +
>> + return s.getPrincipals();
>> }
>>
>> /**
>> Index:
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>> ===================================================================
>> ---
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>> (revision 106054)
>> +++
>> src/java/org/apache/geronimo/security/jaas/JaasLoginServiceMBean.java
>> (working copy)
>> @@ -110,7 +110,7 @@
>> * once for each server-side login module that was processed
>> before the
>> * overall authentication succeeded.
>> */
>> - public boolean serverLoginModuleCommit(JaasClientId userIdentifier,
>> int loginModuleIndex) throws LoginException;
>> + public Collection serverLoginModuleCommit(JaasClientId
>> userIdentifier, int loginModuleIndex) throws LoginException;
>>
>> /**
>> * Indicates that the overall login succeeded. All login modules
>> that were
>>
>> Aaron Mulder wrote:
>> > On Mon, 22 Nov 2004, Jeff Genender wrote:
>> >
>> >>This is good...this should get the raw Tomcat JAASRealm to work for
>> >>authorization. I just coded up a special JAASTomcatRealm that called
>> >>the ContextManager.getServerSideSubject and now I can ditch it since
>> it
>> >>looks like the JaasLoginCoordinator is populating the subject.
>> >
>> >
>> > I'm not sure you're right -- the JAASTomcatRealm should be using
>> > RealmPrincipals, which are not currently returned. I need to talk
>> this
>> > over with Alan:
>> >
>> > Alan D. Cabrera wrote:
>> >
>> >>I think that we should return the realm principals as well for all the
>> >>same reasons that we have realm principals in the first place.
>> >
>> >
>> > Last time we talked you wanted to return everything except the
>> > RealmPrincipals... why the change of heart?
>> >
>> > What if we change the JaasLoginCoordinator to load the
>> > RealmPrincipals if it is used within the same JVM as the server, but
>> not
>> > if it connects over the network? That may be the best balance of
>> "give
>> > other server components what they neeed" and "don't expose Geronimo
>> > security internals to clients".
>> >
>> > Aaron
>>
>
