Re: Current caller subject?

Thu, 03 Aug 2006 12:58:59 -0700 


On Aug 3, 2006, at 9:55 AM, Dain Sundstrom wrote:


On Aug 2, 2006, at 11:29 PM, David Jencks wrote:


On Aug 2, 2006, at 10:53 PM, Dain Sundstrom wrote:
I'm working on the Jencks project again and have discovered that the container managed security and pool partition by-subject doesn't work oustide of Geronimo since both depend on obtaining the current caller's subject from ContextManager.getCurrentCaller (), which is a Geronimo specific class.
Is there a spec defined way we could be getting the current caller's subject that would reasonably work in most app servers? I'm hoping there is something in the JACC spec. If not, I think we should introduce a hook under these static calls, so we can redirect them to platform specific APIs when running outside of a Geronimo server. 

You could use
(Subject)PolicyContext.getContext ("javax.security.auth.Subject.container");
which in geronimo delegates to ContextManager.getCurrentCaller() using a lot of hashmap lookups and security checks.
Based on the response I got from Alan on IRC and this message, I don't think it would be appropriate to change the connector code use the JACC api directly due to the performance problems. Maybe we can change the ContextManager methods as follows: 

    public static boolean useJacc = true;
public static Subject getCurrentCaller() throws PolicyContextException { 
        if (useJacc) {
return (Subject)PolicyContext.getContext ("javax.security.auth.Subject.container"); 
        } else {
            SecurityManager sm = System.getSecurityManager();
            if (sm != null) sm.checkPermission(GET_CONTEXT);

            return (Subject) currentCaller.get();
        }
    }

When running in a Geronimo server we set useJacc to false.

What do you think?
I think we should use the jacc interfaces in the connector framework. Alan was talking about getting the subject from the ACC which is time consuming and independent of JACC. Our jacc implementation delegates to ContextManager, so it's fast (only involves about 2 more hashmap lookups than using ContextManager directly). If someone wants to use a slow JACC implementation, that's their problem. 

thanks
david jencks



-dain

Reply via email to