djencks wrote: > > I think that sending the server-side subject back to a client is apt > to be more than a philosophical problem. >
As I spoke philosophical problem, I had in mind that I have to deal with a standalone client instead of a web application. JAAS works very well in web-apps. I wouldn't have such problems with a web-app. djencks wrote: > > In general, you don't know > what information other than the principals you are interested in may > be in the subject. For instance in geronimo if you want to access a > remote secured web service you put the credentials for the web service > in the Subject. These may be credentials for the server to access the > web service, not for the user of the server. Leaking these to the > user/client program could be a serious security violation. In order > to do this, you would need verification that the client program is > authorized to get the credentials: presumably this would involve > signing the code and communicating this somehow to the server. > Now I understand. Yes, you're absolutely right. I only saw my simple user and group principals but there could be more. In my case the client should only get the information that belong to him. I already solved this problem using an stateless bean. djencks wrote: > > Instead of this likely-to-be-risky exposure, if you just make the user > roles available to the client, you are unlikely to be sending > particularly sensitive information. Could I ask what kind of security > system you are using on the client that requires principals? > I use the Eclipse RCP. In version 3.4 JAAS support was introduced. So I use JAAS on the client side too. What I currently do is mapping roles only to group principals on server-side. So in my system there is one group for each role. The groups are my roles. The client gets the groups from a stateless bean and turns them into my own ClientRolePrincipals. I want the authorization on the client-side too. The RCP can handle certain parts. I just want to write my permissions and an own Policy implementation. In the first step I introduced only realm, username, password authentication. I would like to thank you for your comments. Now I think that my stateless bean solution isn't as bad as I thought. Mark -- View this message in context: http://www.nabble.com/JAAS-with-a-standalone-client-tp16824275s134p16895769.html Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.
