6 Replies Latest reply on Dec 27, 2002 7:54 PM by zx44093

    how to set multiple principals to jbosssx

    mirza_mohsin_beg

      Hi,

      I have been looking at jbosssx classes and I am not sure how to send in additional principals using a LoginContext from a client program that is not running inside the JBoss vm.

      I saw that SecurityAssociation.setSubject() in ClientLoginModule is being used but in JaasSecurityManager.defaultLogin(), LoginContext is called with a 'new Subject()' and not that was set in SecurityAssociation in ClientLoginModule.

      My business need is to have a client application send in multiple principals so that I can have custom functionality like SecurityAssociation.pushRunAsRole() but where the principal is retrieved from client's subject.getPrincipals().

      Any help would be appreciated.

      Thanks,

      -Mohsin

        • 1. Re: how to set multiple principals to jbosssx
          mirza_mohsin_beg

          Hi,

          I think I got it. So it looks like I will need to modify a whole bunch of files: (besides implementing my own server-side LoginModule) Invocation, client-side SecurityInterceptor, SecurityAssociation, SecurityAssociationHandler and SecurityAssociationCallback to implement the setter() and getter() for the additional Principal to be sent in from the ClientLoginModule to the JaasSecurityManager.

          Does will however mean that I'll have to compile my own distribution of JBoss; something I would prefer to avoid. Any other ideas/shortcuts ?

          Thanks,

          -Mohsin

          • 2. Re: how to set multiple principals to jbosssx
            hahi

            Hi Mirza Mohsin Beg,

            may I ask you what exactly are you implementing. I am no expert but I will have to implement a JAAS login module that fetches some certificates from a stand alone client. Maybe we can join since from reading your post I think I will face the same problems.

            regards
            Hajo

            • 3. Re: how to set multiple principals to jbosssx
              mirza_mohsin_beg

              Hi,

              My need is to send in multiple principals from a ejb client (in jboss or outside) so that I can dynamically set the SecurityAssociation.PushRunAsRole() in the container's SecurityInterceptor, by
              1) sending in NestablePrincipal instead of SimplePrincipal in ClientLoginModule via SecurityAssociation
              2) or by setting/getting my own Principal in the marshalled payload in Invocation
              3) or something else.

              I am exploring the 'cleanest' way to do it. Can anyone advise me ?

              Thanks,

              -Mohsin

              • 4. Re: how to set multiple principals to jbosssx
                zx44093

                Maybe I didn't understand your problem. If you are using J2EE declarative security model, why you need to send multiple user principles to the container? Once a user is logged in, the principle carries to everywhere. As part of your login process, besides authentication, you can load all the user permissions at that time, which in turn will give this user access to different EJBs as long as the user has one of the required permission. The user permissions should be stored at the server side, not from the client.

                I hope I didn't confuse you. Let me know if I can explain it in more detail.

                • 5. Re: how to set multiple principals to jbosssx
                  mirza_mohsin_beg

                  Hi,

                  Basically if I set additional Principal on the client side via subject.getPrincipals().add(), I want to access this same set of Principal on the server side (eg in container-interceptors).

                  This is not the same as the EJB2.0 declarative model for RunAsRole.

                  Thanks,

                  -Mohsin

                  • 6. Re: how to set multiple principals to jbosssx
                    zx44093

                    You probably can change that through a session bean. But it seems to me that the way you are doing is not secure. If you want a client change the identity dynamically, you simply logout and login as a different user, and you have to go through authentication process again with the new identity. A server can't simply trust the client without authentication. The way to have multiple principles need to be done at the server side if you do not want to logout/login again. The whole purpose of J2EE security is to give you the fine grained control over security. If you want the client to change the identity and expect the server to accept it, why bother using security? Again, maybe I still didn't understand what you really want to do.