-
1. Re: Adding or changing roles without relogin
juhalindfors Sep 2, 2003 3:17 AM (in response to olesha)Maybe SecurityAsscotiation.pushRunAsRole(new SimplePrincipal("Admin")) will work?
-- Juha -
2. Re: Adding or changing roles without relogin
shaman Sep 2, 2003 8:11 AM (in response to olesha)I tried to use this function (SecurityAssociation.pushRunAsRole). It works like
<security-identity>... <run-as>Admin</run-as>.
In any case context.IsCallerInRole("User") returns 'true'.
But it is necessary for me that it returned 'false' for contex.IsCallerInRole("User") and 'true' for contex.IsCallerInRole("Admin") -
3. Re: Adding or changing roles without relogin
juha Sep 2, 2003 8:30 AM (in response to olesha)Yes that is the expected behavior (run as role is added to the existing roles).
Further experiments might be to access the subject via SecurityAssociation and modify the contents of its 'Roles' group. You might need to flush the authentication cache for the subject's identity in this case.
-- Juha -
4. Re: Adding or changing roles without relogin
shaman Sep 3, 2003 3:51 AM (in response to olesha)I tried to access the subject via SecurityAccociation and modify the contents of 'Roles' group.
Unfortunately it does not work. I cannot change directly subject from SecurityAccociation. Also I can not flush the authentication cache because in this case I should do a new login.
I have done some experiments and have found out that SecurityAccocition.pushRunAsRole('Admin')
and tags
<security-identity>... <runs-us>Admin</run-as> in ejb-jar
do not change group ' Roles'.
And if I call isCallerInRole('User') I always retrieve 'true'.
isCallerInRole('Admin') - always 'false'. -
5. Re: Adding or changing roles without relogin
juha Sep 3, 2003 4:23 AM (in response to olesha)> I tried to access the subject via SecurityAccociation
> and modify the contents of 'Roles' group.
> Unfortunately it does not work. I cannot change
> directly subject from SecurityAccociation.
You cannot change the subject reference but you should be able to modify its principal set, no?
> I have done some experiments and have found out that
> SecurityAccocition.pushRunAsRole('Admin') and tags
> <security-identity>... <runs-us>Admin</run-as> in
> ejb-jar do not change group ' Roles'.
That is correct. If you'll look into the SecurityAssociation implementation you'll see that the run-as role is stored in a separate thread local stack and accessed via peek().
-- Juha -
6. Re: Adding or changing roles without relogin
shaman Sep 3, 2003 9:59 AM (in response to olesha)Yes I can change principal set. I have solved this problem as follows:
Subject sub = SecurityAssociation.getSubject();
Set pr = sub.getPrincipals(NestableGroup.class);
Iterator iter = pr.iterator();
NestableGroup gr;
while ((iter.hasNext()) && (gr=(NestableGroup)(iter.next())).getName().equals("Roles")) {
SimpleGroup newGr = new SimpleGroup("Roles");
newGr.addMember(new SimplePrincipal("Admin"));
gr.addMember(newGr);
}
Now IsCallerInRole('Admin') returns 'true'.
But I do not think that this correct decision of a problem.
It will work only on JBoss.
For me it is very important to keep universality of a code that my J2EE Application would work and on other Application Servers.
To me it is not absolutely clear, why JBoss does not change for the period of a call of a method(any method of EJB) group ' Roles ' if I call SecurityAssociation.pushRunAsRole or if I add security identity information intejb-jar.xmp (<run-as>Admin</run-as>).