David, yes, you understood right. I want the container to use the currently active JAAS subject for the EJB call.
But, I had hoped that the container automatically would use the currently active JAAS subject. But this seems not be possible, as I have just found explained in this Websphere docs: http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_jaasauthor.html Anyway, the API you gave, looks fine, but it seems to be ContextManager public static Callers pushNextCaller(Subject nextCaller) Thanks very much, Juergen djencks wrote: > > > On Jun 18, 2009, at 5:28 AM, Juergen Weber wrote: > >> >> Hi, >> >> I opened a JAAS LoginContext in a JSP (the JSP runs under >> <security-constraint>) and called an EJB using a PrivilegedAction >> with the >> resulting subject. It looks like the subject is not propagated to >> the EJB. >> Also it looks like the currently active web user cannot be gotten by >> JAAS. >> So, it looks like there is a separation between Container authority >> and >> JAAS. >> >> Is that behaviour OK? >> >> (the background of all this is we'd like to use <security- >> constraint> for >> the web app, but the EJB call be with a technical user. Also, the >> EJB call >> is much deeper in the call stack than the authentication of the >> technical >> user, so the call should be in a PrivilegedAction with the subject >> bound). > > I don't understand exactly what you are trying to do but maybe you > want to authenicate in a jsp rather than using a built in auth > method? And then use the resulting Subject in container managed > authorization?? > > The way to do this is to use one of the ContextManager.login methods > so your Subject gets registered with geronimo, and then tell geronimo > to use your Subject with > > ContextManager.setCallers(subject,subject) > > or if you want to imitate "run-as" functionality > > Callers oldCallers = ContextManager.pushSubject(subject); > try { > //dostuff > } finally { > ContextManager.popCallers(oldCallers); > } > > (hopefully I remembered the method names and sigs rightly) > > hope this helps > > david jencks >> >> Thanks, >> Juergen >> >> I have put some comments with System.out output into the code >> >> Subject subjectjsp = >> Subject.getSubject(AccessController.getContext()); >> System.out.println("JSP subject:" + subjectjsp); >> // JSP subject:null. Why isn't this the user logged in to the webapp? >> >> SimpleCallbackHandler handler = new >> SimpleCallbackHandler("tomcat","tomcat".toCharArray()); >> >> LoginContext loginCtx = new LoginContext("geronimo-admin", handler); >> loginCtx.login(); >> Subject subject = loginCtx.getSubject(); >> Set<Principal> principals = subject.getPrincipals(); >> >> System.out.println("principals:" + principals); >> // principals:[tomcat, admin, tomcatgroup] >> >> PrivilegedAction action = new PrivilegedAction() { >> >> public Object run() >> { >> Subject subject = >> Subject.getSubject(AccessController.getContext()); >> >> System.out.println("inner subject:" + subject); >> // inner subject:Subject: >> // Principal: tomcat >> // Principal: admin >> // Principal: tomcatgroup >> >> Context context; >> try >> { >> context = new InitialContext(); >> >> Secured3 secured3 = (Secured3) >> context.lookup("java:comp/env/ejb/Secured3"); >> String secureMethod = secured3.secureMethod("hello"); >> System.out.println("secureMethod: " + secureMethod); >> >> // ctx.getCallerPrincipal(): >> // secureMethod: Hello hello at Thu Jun 18 13:55:49 CEST 2009 >> org.apache.openejb.core.stateless.statelesscont...@133b364 you are: >> org.apache.openejb.core.unauthenticatedprinci...@1884ac4 >> >> >> -- >> View this message in context: >> http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24091806.html >> Sent from the Apache Geronimo - Users mailing list archive at >> Nabble.com. >> > > -- View this message in context: http://www.nabble.com/security-propagation-from-JAAS-context-to-EJB-question-tp24091806s134p24099592.html Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.
