Thanks for all you're help but I already read that topic and applied it to my own
LoginModule.
I will try to be more clear now:
This is the isMember(Principal member) method I wrote in my custom Group class.
| public class MyGroup extends MyPrincipal implements Group {
|
| ...
|
| public boolean isMember(Principal member) {
| MyPrincipal callerPrincipal =
getCallerPrincipal(SecurityAssociation.getSubject());
| String company = callerPrincipal.getCompany();
| if ("com1".equals(company)) {
| return members.contains(member);
| }
| return false;
| }
|
| private MyPrincipal getCallerPrincipal(Subject subject) {
| Set subjectGroups = subject.getPrincipals(Group.class);
| Iterator iter = subjectGroups.iterator();
| while (iter.hasNext()) {
| Group grp = (Group) iter.next();
| String name = grp.getName();
| if (name.equals("CallerPrincipal")) {
| Enumeration members = grp.members();
| if (members.hasMoreElements()) {
| Principal principal = (Principal) members.nextElement();
| if (principal instanceof MyPrincipal) {
| return (MyPrincipal) principal;
| }
| }
| }
| }
| return null;
| }
|
| ...
|
| }
|
This works fine but what I don't like in my code is the way I retrieve the current
Subject.
SecurityAssociation.getSubject()
It would be nice to let the JAAS implementation of JBoss handle this.
My quote in the firste message of this topic.
anonymous wrote :
| I can think to 2 other ways but don't know how to configure/program them:
| 1) The Subject contains a authenticated user and for every company the Subject
contains a different "Roles"-group. And only the "Roles"-group the user is currently
interested in is check if it contains the right role.
| Or
| 2) For every user/company combination a different Subject is created containing
the correct "Roles".
|
An other thing I don't like in my solution is that I use javax.servlet.Filter to add
the company to my MyPrincipal. The problem here is that the authentication /
authorization is handled before the filter is applied to the request. This results in
a situation where I have to do a second authorization step (request) to check if the
user is really authorized to see the resource.
Maybe the only solution is to write my own JAAS implementation but I would like to
make use as much as possible from the existing JAAS implementation in JBoss. I don't
want to reinvent the wheel.
I hope you can understand me better now and maybe have a good idea, otherwise I stay
with my current implementation an get used to the drawbacks.
Thanks a lot, Cees van Wieringen.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842178#3842178
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842178
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
