Hi Robert,
Sorry to jump in that late but I was focused on other problems.
Integrating JASS is something we have started in Enhydra Enterprise,
we have made good progress but they are still some outstanding issues.
Here is what we currently do in Enhydra Enterprise
1- After authentication, the servlet service is executed by the
access controller via a Subject.doAsPrivileged call. A Subject.doAsPrivileged
can also be used in any servlet to change the security context in the flow
of execution.
2- The client side context propagation framework serialize the current
Subject and attach it to the call.
3- The server side context propagation framework retrieve the serialized
subject and store it in a thread local variable. Unfortunately, we haven't
found a way to reestablish the security context on the server side at the
rmi level, and doing that in the interposition classes is a lot of work
added to the fact that we really want to do it at the orb level)
4- The getCallerPrincipal method return the first Principal of the
current thread subject.
Here is what we still have to do.
5- Reestablish the security context on the server side (skeleton) by calling
Subject.doAsPrivileged (any suggestion is welcome)
6- Deploy application roles and method permissions that are defined in
the deployment descriptor to the access controller on a per application
basis.
7- Use Privileged actions for method invocation permission checks and for
isCalledInRole (this is the easy part)
I will be out of the office for the upcoming weeks but I will be happy to
coordinate this development with you if you would like to. Number 5 is the
first point to resolve to move forward I think.
Thanks,
Christophe
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Shout Graphics --
>Design
>Sent: Monday, July 16, 2001 6:55 PM
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Re: Integrating JAAS
>
>
>Fran�ois,
>
>Thanks for the reply. Basically, I know that EJB and JAAS do
>not fit 100%
>together, but I know that Java is moving very strongly toward
>JAAS as the
>way of security. I wanted to try and make my SecurityService
>for JOnAS to be
>compliant. It is going to be tough, as Java did not think about how to
>integrate EJB with JAAS (and the way JOnAS is set up now it
>isn't easy).
>
>As to your question:
> "JAAS authorization mechanism may be used by the EJB server
>to implement
>method access control ? Is it what you intend to do ? Why ?"
>
>The reason is that if I use JAAS to authenticate, then I have
>a Subject to
>work with and possible multiple Principals. So I need JOnAS
>internally to be
>able to work with the Subject as well.
>
>The only place where this really causes a problem is in
>running code. JAAS
>has it run through the Subject with methods such as .doAs()
>where you pass
>it the action to do, the subject, and some other info (not
>important right
>now). This is not too far off from JOnAS's "preinvoke()" idea.
>However, the
>problem is that this is a final class, so I cannot change how
>those methods
>work. It has a few "obnoxious" requirements:
>1. The class it runs MUST have a "run()" method where it begins
> a. This shouldn't be too bad, I can just instantiate a class with
> the method I need to run, etc. and then have that class do all
> the work in the run() method
>2. It uses AccessControlContext and AccessController for permissions in
> running in the doAS() method. These are also final classes.
>
>Really, I think my only problems for integrating JAAS and JOnAS are:
>1. the doAS(0 etc. methods. (i.e. how to invoke a bean)
>2. Getting the permissions (currently i only see examples of doing this
> with a file, and that's a pain because the "policy" file is of a
> diff. format than a deployment descriptor and would require a
> deployer to do both.
>
>As to whether anyone has tried to integrate JAAS and EJB, I
>saw a couple
>messages a while back on Enhydra's site that they were trying
>to do it, and
>then their messages just stopped. It was two guys named
>"Wayne" and "Craig".
>Do you know how I could contact them about their results?
>
>Thanks again, I look forward to hearing your input.
>
>Robert
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
