----- Original Message -----
From: "James Cook" <[EMAIL PROTECTED]>
To: "JBoss-User" <[EMAIL PROTECTED]>
Sent: Thursday, March 15, 2001 7:57 PM
Subject: RE: [jBoss-User] Security
> That makes sense, but its too bad that the original principal is lost.
> Perhaps EJB2 needs the original caller's principal to verify the user has
> permission to execute a particular method. I am referring to programmatic
> security constraints and not the declaritive EJB constraints.
>
> I don't see a simple (or difficult) way of providing both restricted bean
> methods *and* programmatic constraints.
>
The original principal need not be lost. When EJB1 is being executed, there
is a JAAS Subject that has been authenticated and it has at least one
java.security.Principal associated with it and a java.security.acl.Group by
the name of 'Roles' that contains all of the java.security.Principal instances
that correspond to the users roles.
You could write a custom LoginModule that simply augments the current
Subject set of Roles on login to include a special role that EJB2 uses and that no
external user can assume. On logout the LoginModule removes the added
role. I'll actually write such a LoginModule as this is a useful feature.
When using the JaasSecurityManger the currently authenticated Subject is available
using:
InitialContext ctx = new IntialContext();
JaasSecurityManger jsm = (JaasSecurityManager) ctx.lookup("jaas:/security-domain");
Subject s = jsm.getActiveSubject();
where security-domain is the security domain name used in the jboss.xml or
standardjboss.xml
security setup.
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]