-
1. Re: how to set multiple principals to jbosssx
mirza_mohsin_beg Dec 26, 2002 8:01 PM (in response to mirza_mohsin_beg)Hi,
I think I got it. So it looks like I will need to modify a whole bunch of files: (besides implementing my own server-side LoginModule) Invocation, client-side SecurityInterceptor, SecurityAssociation, SecurityAssociationHandler and SecurityAssociationCallback to implement the setter() and getter() for the additional Principal to be sent in from the ClientLoginModule to the JaasSecurityManager.
Does will however mean that I'll have to compile my own distribution of JBoss; something I would prefer to avoid. Any other ideas/shortcuts ?
Thanks,
-Mohsin -
2. Re: how to set multiple principals to jbosssx
hahi Dec 27, 2002 5:05 AM (in response to mirza_mohsin_beg)Hi Mirza Mohsin Beg,
may I ask you what exactly are you implementing. I am no expert but I will have to implement a JAAS login module that fetches some certificates from a stand alone client. Maybe we can join since from reading your post I think I will face the same problems.
regards
Hajo -
3. Re: how to set multiple principals to jbosssx
mirza_mohsin_beg Dec 27, 2002 1:22 PM (in response to mirza_mohsin_beg)Hi,
My need is to send in multiple principals from a ejb client (in jboss or outside) so that I can dynamically set the SecurityAssociation.PushRunAsRole() in the container's SecurityInterceptor, by
1) sending in NestablePrincipal instead of SimplePrincipal in ClientLoginModule via SecurityAssociation
2) or by setting/getting my own Principal in the marshalled payload in Invocation
3) or something else.
I am exploring the 'cleanest' way to do it. Can anyone advise me ?
Thanks,
-Mohsin -
4. Re: how to set multiple principals to jbosssx
zx44093 Dec 27, 2002 5:34 PM (in response to mirza_mohsin_beg)Maybe I didn't understand your problem. If you are using J2EE declarative security model, why you need to send multiple user principles to the container? Once a user is logged in, the principle carries to everywhere. As part of your login process, besides authentication, you can load all the user permissions at that time, which in turn will give this user access to different EJBs as long as the user has one of the required permission. The user permissions should be stored at the server side, not from the client.
I hope I didn't confuse you. Let me know if I can explain it in more detail. -
5. Re: how to set multiple principals to jbosssx
mirza_mohsin_beg Dec 27, 2002 7:43 PM (in response to mirza_mohsin_beg)Hi,
Basically if I set additional Principal on the client side via subject.getPrincipals().add(), I want to access this same set of Principal on the server side (eg in container-interceptors).
This is not the same as the EJB2.0 declarative model for RunAsRole.
Thanks,
-Mohsin -
6. Re: how to set multiple principals to jbosssx
zx44093 Dec 27, 2002 7:54 PM (in response to mirza_mohsin_beg)You probably can change that through a session bean. But it seems to me that the way you are doing is not secure. If you want a client change the identity dynamically, you simply logout and login as a different user, and you have to go through authentication process again with the new identity. A server can't simply trust the client without authentication. The way to have multiple principles need to be done at the server side if you do not want to logout/login again. The whole purpose of J2EE security is to give you the fine grained control over security. If you want the client to change the identity and expect the server to accept it, why bother using security? Again, maybe I still didn't understand what you really want to do.