I just thought of something which makes JAAS a little harder, perhaps, in
EJB environment. Normally, we give permissions to a particular Principal,
and then have a client authenticate as that Principal. So when we have
Principal "Joe" with access to "setNumber" we know this permission will be
granted to all people authenticated as "Joe."
However, in EJB it is not so simple. Let's look at the case of a Bean with
Method "setNumber." This method is granted only to Principal "Joe". However,
this bean was written originally on a diff. server, and has now been ported
to this server. The bean developer (completely within their rights, but in
BAD design form) also hard-coded that Principal name into the method's code.
The Administrator for the EJB Server has no"Joe" user, and decides to map
"Fred" to "Joe" for that bean. The bean deployer has a client who has been
accessing this bean for months and will try again today. Even though this
bean moved servers, the client's app shouldn't have to change their code. In
fact, since the new server is in the same network as the last, externally it
has the same IP Address.
The client uses "Joe" to connect. Now a few problems arise. The server must
use its own user collection for authentication (otherwise anyone could just
make up users to pass to it). However, it cannot take "Fred" from the
client, and it cannot send that to the bean. We also do not want to make
every subject have two Principals in it just to simluate the mapping. And we
don't want the mapping to live outside the Subject (as that violates JAAS).
So how do we authenticate / authorize that user?
Normally, I would say that we make them sign in with the username of "Fred",
but the problem is then we must pass "Joe" to the bean!! (As the developer
in EJB specs, has the right to hard-code Principal names into their code).
How do we do this if all our security decisions are suppossed to go through
Subject? And it seems messy/un-secure to make them put in (or the server to
put in) two Principals and only have to authenticate one.
Has anyone come up with a solution for this?
Robert Paris
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
