10 Replies Latest reply on Sep 30, 2003 8:20 AM by aparaapara

    Authenticated pricipal not forwarded to unsecured web resour

    aparaapara

      I am migrating from Orion to JBOSS and noticing that although user is logged on into my application, accessing any unsecured (public) pages does not forward the authenticated principal to the page or EJB layer.

      Is there a way to forward authenticated principal to the unsecured pages in JBOSS?

      Thanks.
      -AP_

        • 1. Re: Authenticated pricipal not forwarded to unsecured web re

          You're going to have to do it programmatically, for instance use a http session to share the principal with unsecured pages.

          -- Juha

          • 2. Re: Authenticated pricipal not forwarded to unsecured web re
            aparaapara

            It does not really end there, I need to have the principal forward to my EJB layer in the same fashion that it does today with Authenticated user.

            It would be nice, if I could write some sort of an inteceptor to do this, and then configure my web container to use the new interceptor. I would image that in the interceptor I could read the principal and if it's not null store it in the session. From then on, if the principal is null and storedPricipal is not null I could configure some "Login Context" with my storedPrincipal and make the whole thing "invisible" to the web.

            Now, I am just not sure how to do this. Is above possible? Could someone provide some details as to what I should look at to do this?

            Thanks.
            -AP_

            • 3. Re: Authenticated pricipal not forwarded to unsecured web re

              Servlet filters are the equivalents of interceptors. They're defined in the servlet spec.

              -- Juha

              • 4. Re: Authenticated pricipal not forwarded to unsecured web re
                aparaapara

                So using a filter, what would be the basic steps to getting this user into the "context" so that it gets passed to the EJB layer? I don't need the code, just basic idea?

                Thanks for your help.

                -AP_

                • 5. Re: Authenticated pricipal not forwarded to unsecured web re

                  In the filter you'd need to do a programmatic login with the username and password that you have stored in the session, either using JAAS login context or accessing JBoss SecurityAssociation directly.

                  -- Juha

                  • 6. Re: Authenticated pricipal not forwarded to unsecured web re
                    aparaapara

                    The original problem is that I am already logged in and the security context is not being passed to my WEB pages and EJB(s) when I hit a page which is not secured (public page).

                    Will doing another login with the JAAS login context or JBOSS SecurityAssociation overcome this problem?

                    Will the security context be somehow passed to the WEB/EJB layer if I login for the second time in the filter?

                    -AP_

                    • 7. Re: Authenticated pricipal not forwarded to unsecured web re

                      No.

                      The only way to access the security context in a non-secured URL is to pass it explicitly through HTTP session.

                      -- Juha

                      • 8. Re: Authenticated pricipal not forwarded to unsecured web re
                        aparaapara

                        I guess this means that I have to modify all my session/entity beans to explicitly accept a caller object on all the API calls, since entityContext.getCallerPrincipal() will not work for me when authenticated user is trying to access a public web resource which then calls down to my ejb?

                        I was hoping not having to do such a drastic re-write of all the API(s). This means that ALL the methods needs to take a caller and always pass it around.

                        Do you know where is the code which makes a decision if the Principal needs to be passed or not? Perhaps, I can just make a local mod to that code to always pass a principal if there is one?

                        Thanks for all your help.

                        -AP_

                        • 9. Re: Authenticated pricipal not forwarded to unsecured web re

                          I haven't looked into the code to see which part applies to passing the principal to unsecured context. From all the previous discussions it appears that the servlet specification leaves it unclear whether the principal should be passed in the first place.

                          One option would be to consider a dev.support contract and have scott stark do the modification for you. He has looked into the issue previously and would be able to give you more help.

                          -- Juha

                          • 10. Re: Authenticated pricipal not forwarded to unsecured web re
                            aparaapara

                            I looked at the code. It seems that there is a Valve called JbossSecurityMgrRealm which actually does the authentication via the authenticate() method. There, if the user/password combinations match it uses SecurityAssociation.setPrincipal()/setCredential to configure the "context" which is then used for EJB calls.

                            The problem is that AuthenticatorBase on which BasicAuthenticator (which calls on the JBossSecurityMgrRealm) is defined, does not call the authenticate method, if the resource is not protected.

                            Presumably, this was done to optimize the operations. Technically, authentication occurs at every user request, so doing authentication for non-protected pages would seem like a waste of time. Without authenticate() being called, the request is NOT authenticated, thus the SecurityAssociation stuff is not being called and you got a problem of null Principal on unprotected pages.

                            One way to "transparently" fix this problem is to create a Tomcat Valve, which would always attempt do authenticate. In those case when the user is accessing the protected pages, however, authentication would occur twice.

                            The other way, is to modify Tomcat code, but I don't feel comfortable doing this yet.

                            -AP_





                            However, this method is