No, not for local user account mapping, for the same reason I explained below. It will work if you want to use delegated credentials for further WS invocation and save you from writing the code to set the credential on the context yourself.
Rachana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 4:15 PM To: Rachana Ananthakrishnan; [email protected] Subject: Re: RE: [gt-user] (How?) Does JaasSubject.doAs() work?? Hello - I use the run-as configuration, but that also doesnt work - you think it should work? -------- Original-Nachricht -------- > Datum: Thu, 4 Oct 2007 10:05:59 -0500 > Von: "Rachana Ananthakrishnan" <[EMAIL PROTECTED]> > An: [EMAIL PROTECTED], [email protected] > Betreff: RE: [gt-user] (How?) Does JaasSubject.doAs() work?? > How does local user name get changed here? The invocation only sets up the > delegated credentials, so any WS invocation you do from test() will have > the > callers credential, but not the local account the caller is mapped to. > > > > We use gridmap files to map from caller to local user name and some of the > higher level services explicitly use sudo to change to the local user > account. So unless you have a security manager with some policy that > explicitly determines the local user account to use for file creation, you > will not see the file created as delegated user. > > > > BTW, you can use the security descriptor configuration to automatically > set > up callers credential as the invocation credential by using the run-as > configuration property. For GT 4.0.x, here is the configuration: > > > > http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descript > or.html#s-authzframe-secdesc-configRunas > > > > Hope this helps, > > Rachana > > > > _____ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of [EMAIL PROTECTED] > Sent: Wednesday, October 03, 2007 4:52 PM > To: [email protected] > Subject: [gt-user] (How?) Does JaasSubject.doAs() work?? > > > > Hello, > > > > I try to create a file in a webservice. The problem is that the file has > to > have the owner of the delegated credential. I thought I can do it somehow > with the JaasSubject, but the file owner is always globus. > > > > thx pod69 > > > > public void test() throws IOException, GSSException{ > SecurityManager.getManager().setServiceOwnerFromContext(); > > org.apache.axis.MessageContext mctx = > org.apache.axis.MessageContext.getCurrentContext(); > SecurityManager manager = SecurityManager.getManager(mctx); > Subject subject = (Subject) > mctx.getProperty(Constants.INVOCATION_SUBJECT); > System.out.println(mctx.getUsername()); > JaasSubject.doAs(subject, new ExampleAction()); > } > > class ExampleAction implements java.security.PrivilegedAction { > public Object run() { > File file=null; > try { > file = new File("/tmp/test"); > > // Create file if it does not exist > boolean success = file.createNewFile(); > if (success) { > // File did not exist and was created > } else { > // File already exists > } > } catch (IOException e) { > } > return null; > } > } > > > > > > > > > -- > Psssst! Schon vom neuen GMX MultiMessenger gehört? > Der kanns mit allen: http://www.gmx.net/de/go/multimessenger > -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
