"Kenworthy, Edward" wrote:
>
> And a second question :-)
>
> What's the scope of the login ?
>
> With logging into the appserver using the InitialContext it's reasonably
> obvious - any lookups I perform using the InitialContext (and any methods I
> invoke on those things I look up etc etc).
With WebLogic at least, this isn't the case. When an InitialContext is
created, the WL security information is set *for the current thread*.
This leads to all manner of confusion when people, quite sensibly,
assume that the association is with the the IC. For example, if you
create ic1 as user Bob and obtain a reference to bean b1, then create
ic2 as user Bill, access to b1 will be as the user Bill, not Bob.
> But what's the scope of the JAAS login ? I can't see how it could be
> anything other than the entire JVM (which appears to be far, far, worse than
> the InitialContext approach so-called kludge).
Well, if you look at ClientLoginModule, you can see that it calls
SecurityAssociation.setPrincipal which sets the principal/credentials on
a per-thread basis. The impression that I get from the JAAS spec is that
per-thread is the intention, although I can't remember anything that
would support this off the top of my head.
Toby.
> -----Original Message-----
> From: Oleg Nitz [mailto:[EMAIL PROTECTED]]
> Sent: 06 December 2000 13:02
> To: jBoss
> Subject: Re[2]: [jBoss-User] Security
>
> Hi Edward,
>
> Have you read the following message?
> http://www.mail-archive.com/[email protected]/msg04170.html
>
> It not, please, read and if you will have any questions after that,
> let me know.
>
> Oleg.
>
> Kenworthy, Edward wrote:
> KE> Actually I'll amend this question if I may :-)
>
> KE> I've read and understood all the JAAS stuff (Although it's not clear to
> me
> KE> how my LoginContext is bound to accessing the EJBs, as Rickard has asked
> KE> before, what is the scope ? Why quesiton is, what is the scope and how
> do I
> KE> set it ?).
>
> KE> So for example I now know that to logon I use:
>
> KE> Subject edward = new Subject();
> KE> edward.getPrincipals().add(new Principal("Customer"));
> KE> edward.getPublicCredentials().add("mypassword");
>
> KE> try
> KE> {
> KE> LoginContext edwardLC = new
> LoginContext("EdwardKenworthy",
> KE> edward);
> KE> LC.login();
> KE> }
> KE> catch (LoginException le)
> KE> {
> KE> // oops
> KE> }
>
> KE> However, if all I do is this then I get a "java.lang.SecurityException:
> KE> Unable to locate login configuration".
>
> KE> Which makes sense, but now we are into the realms of jBoss specifics.
> What
> KE> jBoss JAAS login configuration should I be using for my client ? And how
> do
> KE> I set it up ?
>
> KE> This then leads me onto a related question, for jBoss's implementation
> of
> KE> JAAS (org.jboss.security.JaasSecurity*.java), how do I manage (CRUD)
> users,
> KE> credentials(passwords) and roles ?
>
> KE> If there's any sample/test client and admin-client code (presumably you
> KE> wrote such things whilst implementing it) could you make the source
> KE> available so I can dissect it and work out what to do ? (You never know
> I
> KE> might even write it up as a HOWTO ;-)
>
> KE> Quivering in anticipation
>
> KE> Edward
>
> KE> -----Original Message-----
> KE> From: Kenworthy, Edward [mailto:[EMAIL PROTECTED]]
> KE> Sent: 06 December 2000 10:38
> KE> To: 'jBoss'
> KE> Subject: RE: [jBoss-User] Security
>
> KE> Ah, ok, now I understand. Thanks.
>
> KE> Just one last question :-)
>
> KE> If I do what Toby suggested in his original post, ie use JAAS and set
> the
> KE> two tags <authentication-module> and <role-mapping-manager> to
> KE> java:/jaas/other then have you any pointers to where I look to find out
> how
> KE> the client logs on, and how I manage users/passwords/roles. I'm reading
> my
> KE> way through the documentation available on the javasoft site,
> KE> http://java.sun.com/products/jaas/, but so far that seems to be focused
> on
> KE> a) general overview and justification and b) implementers of JAAS (but
> KE> perhaps I just haven't found the right bit yet).
>
> KE> Edward
>
> KE> -----Original Message-----
> KE> From: Rickard �berg [mailto:[EMAIL PROTECTED]]
> KE> Sent: 05 December 2000 15:30
> KE> To: jBoss
> KE> Subject: Re: [jBoss-User] Security
>
> KE> Hi!
>
> KE> "Kenworthy, Edward" wrote:
> >> Really ?
>
> KE> Really ;-)
>
> >> Wow and ouch, I thought it worked like this:
> >>
> >> 1/ get initial context, sets up caller principle.
> >> 2/ lookup bean.
> >> 3/ try and invoke a method, app server checks caller principle for
> >> permission.
> >>
> >> If it works like this, then passing around a reference isn't a problem as
> KE> it
> >> will use your permissions, not any associated with the reference.
>
> KE> Depends on what you mean by "sets up caller principal" (note spelling
> KE> BTW). What is it's scope? The thread? The JVM? The current context
> KE> classloader? The threadgroup? All valid options, in some sense, but with
> KE> wildly different semantics.
>
> >> Anyone, assuming you're right ;-), how do I "log-on" to the app server ?
>
> KE> 1) Use some proprietary mechanism
> KE> 2) Use J2EE-valid client containers, i.e. servlets, which has a standard
> KE> authentication method
> KE> 3) Use JAAS
>
> KE> /Rickard
>
> Best regards,
> Oleg
--
Toby Allsopp
Research
Peace Software International Ltd
Ph +64-9-3730400
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
