I'm not sure to understand what you want to do with JAAS and JOnAS. To clarify some aspects, let me recall some points
- very shortly, security in EJB garantees that a SecurityContext will be "propagated" with requests, thus allowing to carry a Principal identifying the caller. Then it allows to perform some kind of "authorization", by defining access control on methods: this is done based on "roles" and "method permissions" (defined declaratively in deployment descriptors), i.e. a method permission allows a Principal belonging to a role to invoke an EJB method. Nothing in EJB deals with authentification mechanisms.
- JAAS is now part of JDK 1.4 (beta) and allows to perform authentification (by plugging authentification modules) and authorization (by extending the Java 2 security policy mechanism, you can specify in the security policy file that a principal is allowed to access a resource).
- JAAS authentification may be used by an EJB client application to perform authentification: authentify the user, get the associated Principal, put it in the SecurityContext, ... I do not see anywhere that the EJB server should be responsible for authentification.
- JAAS authorization mechanism may be used by the EJB server to implement method access control ? Is it what you intend to do ? Why ? ... at least the most important is that the EJB platform implements the EJB security features defined in the spec for application portability purpose, how it is implemented does not matter ?
- unify JAAS and EJB security concepts: this is the job of the JCP ...
Now some more detailed answers to your questions ...
SG wrote:
I am trying to use JAAS to do my security handler for JOnAS. Has anyone out
there tried this yet? I have a few questions that I haven't answered yet:1. How does the LoginContext fit into the Contexts already existing in
JOnAS?
a. SecurityContext, RequestContext?
1. Should I put the LoginContext in there? Do I not need to?
The LoginContext is provided by JAAS to an application for authentification
purpose (it allows to call one or several plugged authentification mechanisms).
I do not see what it has to do with the SecurityContext ?
According to JAAS, a Subject (which represents a "user"), may contain one or several "Principal" (which represents "user names"). What is needed for EJB security is the Principal. Thus, once your Subject is authentified, extract a Principal and put it in the SecurityContext ?2. How does a Subject fit into the JOnAS API? I am thinking I'll have to
change quite a bit to do this, which is OK but I wanted to see if anyone had
already found a way to integrate this in.
The EJB 2.0 spec defines a security-identity feature, allowing "run-as" or "use-caller-identity" behaviour. In the case where you decide to implement EJB security on JAAS (great job !), the "run-as" behaviour could surely be implemented with the Subject doAs method ...3. How can I integrate all the doAS(), doAsPrivaleged(), etc into the JOnAS
architechture with the fewest changes?
Currently, JOnAS does not implement the EJB 2.0 security-identity feature.
Thanks to everyone!
Robert
(BTW, if anyone wants updates on what I've done so far, and as I go, let me
know. I'd be more than happy to post them for comments, review, etc. - I
just don't want to flood the mailing lists with my stuff if no one wants me
to.)
----
Best Regards,
François
--
==================================================================
François EXERTIER
Evidian (Groupe Bull)
1, rue de Provence, BP 208, 38432
Echirolles cedex, FRANCE
mailto:[EMAIL PROTECTED]
http://www.evidian.com/jonas http://www.objectweb.org/jonas
Tel: +33 (0)4 76 29 71 51 - Fax:
+33 (0)4 76 29 77 30
==================================================================
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
