...I'm using Tomcat...I have not checked it yet.

I do get the 'correct' principals in my EJB's...half way there!

Is there no standard way of getting this 'extra' information?

If this is of any use to anyone, I have extended the DatabaseServerLoginModule to add attributes to the Principals. This is done by extending the principalQuery with extra columns (the first is always the 'credentials' the rest are added as attributes to the Principal. I have done the same for 'roles' where the rolesQuery has two mandatory coumns (role and rolegroup), the any extra columns are added as attributes....

I'm now moving on to do the same for LDAP!


Lewis

Peter,

I have 'patched' JBossSecurityMgrRealm to this...

/**
* Return the Principal associated with the specified username and
* credentials, if there is one; otherwise return null.
*
* @param username Username of the Principal to look up
* @param credentials Password or other credentials to use in
* authenticating this username
*/
public Principal authenticate(String username, String credentials) {
boolean trace = category.isEnabledFor(XPriority.TRACE);
if(trace)
category.log(XPriority.TRACE, "Begin authenticate, username=" + username);
Principal principal = null;
Context securityCtx = getSecurityContext();
if(securityCtx == null) {
return null;
}
try {
// Get the JBoss security manager from the ENC context
AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");
// Default to SimplePrincipal...
principal = new SimplePrincipal(username);
char[] passwordChars = null;
if(credentials != null)
passwordChars = credentials.toCharArray();
if(securityMgr.isValid(principal, passwordChars)) {
category.log(XPriority.TRACE, "User: " + username + " is authenticated");
// Override with authenticated principal...
if(securityMgr instanceof SubjectSecurityManager) {
SubjectSecurityManager subjectMgr = (SubjectSecurityManager) securityMgr;
Subject subject = subjectMgr.getActiveSubject();
principal = getAuthenticatedPrincipal(subject);
}
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
} else {
principal = null;
category.log(XPriority.TRACE, "User: " + username + " is NOT authenticated");
}
} catch(NamingException e) {
principal = null;
category.error("Error during authenticate", e);
}
if(trace)
category.log(XPriority.TRACE, "End authenticate, principal=" + principal);
return principal;
}

// Ripped from org.jboss.security.plugins.JaasSecurityManager::updateCache()
private Principal getAuthenticatedPrincipal(Subject subject) {
Set subjectGroups = subject.getPrincipals(Group.class);
Iterator iter = subjectGroups.iterator();
Principal principal = null;
while(iter.hasNext()) {
Group grp = (Group) iter.next();
String name = grp.getName();
if(name.equals("CallerPrincipal")) {
Enumeration members = grp.members();
if(members.hasMoreElements())
principal = (Principal) members.nextElement();
}
}
/* Handle null principals with no callerPrincipal. This is an indication
of a user that has not provided any authentication info, but
has been authenticated by the domain login module stack. Here we look
for the first non-Group Principal and use that.
*/
if(principal == null) {
Set subjectPrincipals = subject.getPrincipals(Principal.class);
iter = subjectPrincipals.iterator();
while(iter.hasNext()) {
Principal p = (Principal) iter.next();
if((p instanceof Group) == false)
principal = p;
}
}
return principal;
}

Sorry about the formatting...is there any way to use tags in the forums?


...is this 'legal', can we just return the principal from the security manager's active subject???

If it is, this does what I wanted and returns my 'AttributePrincipal' in the request!

There may be other configurations that need to be checked for...I don't know the internal JBoss/Tomcat security well enough to say...maybe someone can validate what I have done???

...also, while doing this I came across a 'useJAAS' flag... Does anyone know how to set it and what is it's use????


Kind regards


Lewis

Hezekiel,

The 'patch' I supplied above allows you to return 'lightweight' principal information to your application via the Principal object in your request/context. This information is acquired by the SERVER login module upon successful authentication. This does not seem to be your question at all! You seem to want to pass information from the client to the server during the authentication 'challenge'. To do this you must extend both the server login module to request this information from the client and also the client login module to return the information when requested. What type of information do you want to pass to the server in this way?

Lewis

Hezekiel,

The 'patch' I supplied above allows you to return 'lightweight' principal information to your application via the Principal object in your request/context. This information is acquired by the SERVER login module upon successful authentication. This does not seem to be your question at all! You seem to want to pass information from the client to the server during the authentication 'challenge'. To do this you must extend both the server login module to request this information from the client and also the client login module to return the information when requested. What type of information do you want to pass to the server in this way?

Lewis