I've created an EJB3 application with some JPA entities. Some of these entities
have the notion of ownership. These entities have the getOwner() method, which
returns the principal name of the subject that once created the entity (via
sessionContext.getCallerPrincipal().getName()).
What I would like to do now is to perform ownership checking via a JPA entity
listener.
Thus I login the user via JAAS "client-login" in a servlet filter, my JAAS
login module sets the principal and "Roles" group on the subject and then the
user can continue to update the entities which he owns. The ownership listener
has a @PreUpdate method and here I would like to do the ownership checking.
For this I can use the SecurityAssociation.getPrincipal() which gives me the
current caller principal as expected. The thing is that I would like to be as
JBoss independent as possible. Thus I would like to use JACC. Via
PolicyContext.getContext("javax.security.auth.Subject.container") I can
retrieve the Subject from within the entity listener, but on this subject I
only have a SimplePrincipal with name "guest", and of course the SimpleGroup
"'Roles". I checked this out and even
SecurityAssociation.getSubject.getPrincipals() only has "guest" for
SimplePrincipal instead of the real caller principal name, while the
SecurityAssociation.getPrincipal() gives back the correct active principal. How
come?
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4045714#4045714
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4045714
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
