Fran�ois,
Thanks for the reply. Basically, I know that EJB and JAAS do not fit 100%
together, but I know that Java is moving very strongly toward JAAS as the
way of security. I wanted to try and make my SecurityService for JOnAS to be
compliant. It is going to be tough, as Java did not think about how to
integrate EJB with JAAS (and the way JOnAS is set up now it isn't easy).
As to your question:
"JAAS authorization mechanism may be used by the EJB server to implement
method access control ? Is it what you intend to do ? Why ?"
The reason is that if I use JAAS to authenticate, then I have a Subject to
work with and possible multiple Principals. So I need JOnAS internally to be
able to work with the Subject as well.
The only place where this really causes a problem is in running code. JAAS
has it run through the Subject with methods such as .doAs() where you pass
it the action to do, the subject, and some other info (not important right
now). This is not too far off from JOnAS's "preinvoke()" idea. However, the
problem is that this is a final class, so I cannot change how those methods
work. It has a few "obnoxious" requirements:
1. The class it runs MUST have a "run()" method where it begins
a. This shouldn't be too bad, I can just instantiate a class with
the method I need to run, etc. and then have that class do all
the work in the run() method
2. It uses AccessControlContext and AccessController for permissions in
running in the doAS() method. These are also final classes.
Really, I think my only problems for integrating JAAS and JOnAS are:
1. the doAS(0 etc. methods. (i.e. how to invoke a bean)
2. Getting the permissions (currently i only see examples of doing this
with a file, and that's a pain because the "policy" file is of a
diff. format than a deployment descriptor and would require a
deployer to do both.
As to whether anyone has tried to integrate JAAS and EJB, I saw a couple
messages a while back on Enhydra's site that they were trying to do it, and
then their messages just stopped. It was two guys named "Wayne" and "Craig".
Do you know how I could contact them about their results?
Thanks again, I look forward to hearing your input.
Robert
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi,I'm not sure to understand what you want to do with JAAS and JOnAS. To clarify some aspects, let me recall some points
Currently I'm not aware of any attempt to integrate EJB and JAAS security concepts (although they are very close, at least for authorization aspects). In the meantime, I see three issues
- very shortly, security in EJB garantees that a SecurityContext will be "propagated" with requests, thus allowing to carry a Principal identifying the caller. Then it allows to perform some kind of "authorization", by defining access control on methods: this is done based on "roles" and "method permissions" (defined declaratively in deployment descriptors), i.e. a method permission allows a Principal belonging to a role to invoke an EJB method. Nothing in EJB deals with authentification mechanisms.
- JAAS is now part of JDK 1.4 (beta) and allows to perform authentification (by plugging authentification modules) and authorization (by extending the Java 2 security policy mechanism, you can specify in the security policy file that a principal is allowed to access a resource).
I agree that it is disappointing that JAAS and EJB security concepts are so different. I also admit that I'm not a security expert, and may be a miss something ...
- JAAS authentification may be used by an EJB client application to perform authentification: authentify the user, get the associated Principal, put it in the SecurityContext, ... I do not see anywhere that the EJB server should be responsible for authentification.
- JAAS authorization mechanism may be used by the EJB server to implement method access control ? Is it what you intend to do ? Why ? ... at least the most important is that the EJB platform implements the EJB security features defined in the spec for application portability purpose, how it is implemented does not matter ?
- unify JAAS and EJB security concepts: this is the job of the JCP ...
Now some more detailed answers to your questions ...
SG wrote:
I am trying to use JAAS to do my security handler for JOnAS. Has anyone out
there tried this yet? I have a few questions that I haven't answered yet:1. How does the LoginContext fit into the Contexts already existing in
JOnAS?
a. SecurityContext, RequestContext?
1. Should I put the LoginContext in there? Do I not need to?
The LoginContext is provided by JAAS to an application for authentification purpose (it allows to call one or several plugged authentification mechanisms). I do not see what it has to do with the SecurityContext ?
According to JAAS, a Subject (which represents a "user"), may contain one or several "Principal" (which represents "user names"). What is needed for EJB security is the Principal. Thus, once your Subject is authentified, extract a Principal and put it in the SecurityContext ?2. How does a Subject fit into the JOnAS API? I am thinking I'll have to
change quite a bit to do this, which is OK but I wanted to see if anyone had
already found a way to integrate this in.
The EJB 2.0 spec defines a security-identity feature, allowing "run-as" or "use-caller-identity" behaviour. In the case where you decide to implement EJB security on JAAS (great job !), the "run-as" behaviour could surely be implemented with the Subject doAs method ...3. How can I integrate all the doAS(), doAsPrivaleged(), etc into the JOnAS
architechture with the fewest changes?
Currently, JOnAS does not implement the EJB 2.0 security-identity feature.
Thanks to everyone!
Robert
(BTW, if anyone wants updates on what I've done so far, and as I go, let me
know. I'd be more than happy to post them for comments, review, etc. - I
just don't want to flood the mailing lists with my stuff if no one wants me
to.)
----
Best Regards,François
--
==================================================================
François EXERTIER Evidian (Groupe Bull)
1, rue de Provence, BP 208, 38432 Echirolles cedex, FRANCE
mailto:[EMAIL PROTECTED]
http://www.evidian.com/jonas http://www.objectweb.org/jonas
Tel: +33 (0)4 76 29 71 51 - Fax: +33 (0)4 76 29 77 30
==================================================================
