RE: Integrating JAAS

[Halas, Miroslav]

Hi Francois,

 

maybe this is little of subject from the technical discussion I was following about JAAS but there is actually a real world issue which needs to be addressed.

 

I work for company with several dozens products from which only ours is J2EE based. All products needs to have some sense of users and some some sense of security (roles, priviledges). We have requirement to integrate with these products so we can share common assets (e.g. users). Our requirement is also support several J2EE servers (Weblogic, iPlanet, Webshpere, Jonas, recentrly we were approached by Lutris). When we started 2 years ago the first think we found out is the problem of authentication and authorization is actually addresses by every vendor differently and it wasn't actually possible to develop solution which would allow us to use J2EE server features fur user authentication (especially when users and roles are assets used across our different products) which would be portable between these servers and still allow us to implement our very specific security model and we had to go to great lengths to get around this problems.

 

So we actually see a need for EJB/J2EE server vendors to implement consistent plugin mechanism where application can supply their own authentication/authorization which is portable between servers and JAAS might be the solution.

 

Just my 2c 8-)

 

Regards,

 

Miro Halas

-----Original Message-----
From: Fran�ois Exertier [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 10:52 AM
To: SG
Cc: [EMAIL PROTECTED]
Subject: Re: Integrating JAAS

Hi,

I'm not sure to understand what you want to do with JAAS and JOnAS. To clarify some aspects, let me recall some points

• very shortly, security in EJB garantees that a SecurityContext will be "propagated" with requests, thus allowing to carry a Principal identifying the caller. Then it allows to perform some kind of "authorization", by defining access control on methods: this is done based on "roles" and "method permissions" (defined declaratively in deployment descriptors), i.e. a method permission allows a Principal belonging to a role to invoke an EJB method. Nothing in EJB deals with authentification mechanisms.
• JAAS is now part of JDK 1.4 (beta) and allows to perform authentification (by plugging authentification modules) and authorization (by extending the Java 2 security policy mechanism, you can specify in the security policy file that a principal is allowed to access a resource).

Currently I'm not aware of any attempt to integrate EJB and JAAS security concepts (although they are very close, at least for authorization aspects). In the meantime, I see three issues

• JAAS authentification may be used by an EJB client application to perform authentification: authentify the user, get the associated Principal, put it in the SecurityContext, ... I do not see anywhere that the EJB server should be responsible for authentification.
• JAAS authorization mechanism may be used by the EJB server to implement method access control ? Is it what you intend to do ? Why ? ... at least the most important is that the EJB platform implements the EJB security features defined in the spec for application portability purpose, how it is implemented does not matter ?
• unify JAAS and EJB security concepts: this is the job of the JCP ...

I agree that it is disappointing that JAAS and EJB security concepts are so different. I also admit that I'm not a security expert, and may be a miss something ...

Now some more detailed answers to your questions ...

SG wrote:

I am trying to use JAAS to do my security handler for JOnAS. Has anyone out
there tried this yet? I have a few questions that I haven't answered yet:

1. How does the LoginContext fit into the Contexts already existing in
JOnAS?
    a. SecurityContext, RequestContext?
        1. Should I put the LoginContext in there? Do I not need to?

The LoginContext is provided by JAAS to an application for authentification purpose (it allows to call one or several plugged authentification mechanisms). I do not see what it has to do with the SecurityContext ?
 

 

2. How does a Subject fit into the JOnAS API? I am thinking I'll have to
change quite a bit to do this, which is OK but I wanted to see if anyone had
already found a way to integrate this in.

According to JAAS, a Subject (which represents a "user"), may contain one or several "Principal" (which represents "user names"). What is needed for EJB security is the Principal. Thus, once your Subject is authentified, extract a Principal and put it in the SecurityContext ?
 

 

3. How can I integrate all the doAS(), doAsPrivaleged(), etc into the JOnAS
architechture with the fewest changes?

The EJB 2.0 spec defines a security-identity  feature, allowing "run-as" or "use-caller-identity" behaviour. In the case where you decide to implement EJB security on JAAS (great job !), the "run-as" behaviour could surely be implemented with the Subject doAs method ...
Currently, JOnAS does not implement the EJB 2.0 security-identity feature.
 

 

Thanks to everyone!

Robert

(BTW, if anyone wants updates on what I've done so far, and as I go, let me
know. I'd be more than happy to post them for comments, review, etc. - I
just don't want to flood the mailing lists with my stuff if no one wants me
to.)
----

Best Regards,

Fran�ois
--
==================================================================
Fran�ois EXERTIER         Evidian (Groupe Bull)
     1, rue de Provence,  BP 208,  38432 Echirolles cedex, FRANCE
     mailto:[EMAIL PROTECTED]
     http://www.evidian.com/jonas   http://www.objectweb.org/jonas
     Tel: +33 (0)4 76 29 71 51  -  Fax:   +33 (0)4 76 29 77 30
==================================================================
  ---- To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "unsubscribe jonas-users". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".