6 Replies Latest reply on Sep 3, 2003 9:59 AM by shaman

    Adding or changing roles without relogin

    olesha

      Hello All,

      I use JBoss 3.0.7

      I have two secured beans A and B.
      The function of bean A does findByPrimaryKey call from bean B. Inside of findByPrimaryKey I do isCallerInRole and test the role of caller, this is an additional security check which is nessessary by program logic.

      The problem is, that caller is in role "User" (Bean A) but for call findByPrimaryKey this role must be switched to "Admin" for only this call.

      Is it possible to change or extend somehow the role of caller without relogin.

        • 1. Re: Adding or changing roles without relogin

          Maybe SecurityAsscotiation.pushRunAsRole(new SimplePrincipal("Admin")) will work?

          -- Juha

          • 2. Re: Adding or changing roles without relogin
            shaman

            I tried to use this function (SecurityAssociation.pushRunAsRole). It works like
            <security-identity>... <run-as>Admin</run-as>.

            In any case context.IsCallerInRole("User") returns 'true'.
            But it is necessary for me that it returned 'false' for contex.IsCallerInRole("User") and 'true' for contex.IsCallerInRole("Admin")

            • 3. Re: Adding or changing roles without relogin

              Yes that is the expected behavior (run as role is added to the existing roles).

              Further experiments might be to access the subject via SecurityAssociation and modify the contents of its 'Roles' group. You might need to flush the authentication cache for the subject's identity in this case.

              -- Juha

              • 4. Re: Adding or changing roles without relogin
                shaman

                I tried to access the subject via SecurityAccociation and modify the contents of 'Roles' group.
                Unfortunately it does not work. I cannot change directly subject from SecurityAccociation. Also I can not flush the authentication cache because in this case I should do a new login.
                I have done some experiments and have found out that SecurityAccocition.pushRunAsRole('Admin')
                and tags
                <security-identity>... <runs-us>Admin</run-as> in ejb-jar
                do not change group ' Roles'.
                And if I call isCallerInRole('User') I always retrieve 'true'.
                isCallerInRole('Admin') - always 'false'.

                • 5. Re: Adding or changing roles without relogin

                  > I tried to access the subject via SecurityAccociation
                  > and modify the contents of 'Roles' group.
                  > Unfortunately it does not work. I cannot change
                  > directly subject from SecurityAccociation.

                  You cannot change the subject reference but you should be able to modify its principal set, no?

                  > I have done some experiments and have found out that
                  > SecurityAccocition.pushRunAsRole('Admin') and tags
                  > <security-identity>... <runs-us>Admin</run-as> in
                  > ejb-jar do not change group ' Roles'.

                  That is correct. If you'll look into the SecurityAssociation implementation you'll see that the run-as role is stored in a separate thread local stack and accessed via peek().

                  -- Juha

                  • 6. Re: Adding or changing roles without relogin
                    shaman

                    Yes I can change principal set. I have solved this problem as follows:

                    Subject sub = SecurityAssociation.getSubject();
                    Set pr = sub.getPrincipals(NestableGroup.class);
                    Iterator iter = pr.iterator();
                    NestableGroup gr;
                    while ((iter.hasNext()) && (gr=(NestableGroup)(iter.next())).getName().equals("Roles")) {
                    SimpleGroup newGr = new SimpleGroup("Roles");
                    newGr.addMember(new SimplePrincipal("Admin"));
                    gr.addMember(newGr);
                    }

                    Now IsCallerInRole('Admin') returns 'true'.

                    But I do not think that this correct decision of a problem.
                    It will work only on JBoss.
                    For me it is very important to keep universality of a code that my J2EE Application would work and on other Application Servers.

                    To me it is not absolutely clear, why JBoss does not change for the period of a call of a method(any method of EJB) group ' Roles ' if I call SecurityAssociation.pushRunAsRole or if I add security identity information intejb-jar.xmp (<run-as>Admin</run-as>).