JAAS bug or tomcat integration?
phantom Mar 30, 2004 8:43 AMPlease explain me.
I encounter with one interesting bug which prevent me from further development. Please, help me! I wrote test page. You can use it to understand the problem:
<%@ page import="org.jboss.security.SecurityAssociation, java.io.PrintWriter, javax.security.auth.Subject, java.security.PrivilegedExceptionAction, java.security.AccessControlContext, java.security.AccessController, javax.security.auth.login.LoginContext, javax.security.auth.login.LoginException, java.util.HashMap, java.io.IOException, javax.security.auth.callback.*"%><html> <head> <title> Security Test </title> </head> <body> <%! private HashMap map = new HashMap(); public class MyCallbackHandler implements CallbackHandler { private String name = null; private String password = null; public MyCallbackHandler(String name, String password) { this.name = name; this.password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { Callback callback = callbacks; if(callback instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback) callback; pc.setPassword(password.toCharArray()); } else if(callback instanceof NameCallback) { NameCallback nc = (NameCallback) callback; nc.setName(name); } } } } public Subject getSubject(String user, String password) throws LoginException { Subject ret = (Subject) map.get(user); if (ret==null) { LoginContext lc = new LoginContext("!YOURDOMAIN!",new MyCallbackHandler(user,password)); lc.login(); ret = lc.getSubject(); map.put(user,ret); } return ret; } %> Curent sycurity:<br> request.getUserPrincipal() <%=request.getUserPrincipal()%><br> SecurityAssociation.getPrincipal() <%=SecurityAssociation.getPrincipal()%><br> SecurityAssociation.getPrincipal().getClass() <%=SecurityAssociation.getPrincipal().getClass()%><br> SecurityAssociation.getSubject() <%=SecurityAssociation.getSubject()%><br> doAs internal:<br> <%final JspWriter outWriter = out; Subject.doAs(getSubject("guest","guest"),new PrivilegedExceptionAction() { public Object run() throws Exception { outWriter.println("SecurityAssociation.getPrincipal() "+SecurityAssociation.getPrincipal()+"<br>"); outWriter.println("SecurityAssociation.getPrincipal().getClass() "+SecurityAssociation.getPrincipal().getClass()+"<br>"); outWriter.println("SecurityAssociation.getSubject() "+SecurityAssociation.getSubject()+"<br>"); return null; } }); %> Curent sycurity:<br> request.getUserPrincipal() <%=request.getUserPrincipal()%><br> SecurityAssociation.getPrincipal() <%=SecurityAssociation.getPrincipal()%><br> SecurityAssociation.getPrincipal().getClass() <%=SecurityAssociation.getPrincipal().getClass()%><br> SecurityAssociation.getSubject() <%=SecurityAssociation.getSubject()%><br> doAsPrincipal<br> <% Subject.doAsPrivileged(getSubject("internal","internal"),new PrivilegedExceptionAction() { public Object run() throws Exception { outWriter.println("SecurityAssociation.getPrincipal() "+SecurityAssociation.getPrincipal()+"<br>"); outWriter.println("SecurityAssociation.getPrincipal().getClass() "+SecurityAssociation.getPrincipal().getClass()+"<br>"); outWriter.println("SecurityAssociation.getSubject() "+SecurityAssociation.getSubject()+"<br>"); return null; } },AccessController.getContext()); %> </body> </html>
Where:
!YOURDOMAIN! - your security domain - please change it!
Also JSP use users principals fro "guest" with password "guest" and "internal" with password "internal". You can change this users names too to fit your users set.
And as a result of JSP I got:
Curent sycurity: request.getUserPrincipal() phantom SecurityAssociation.getPrincipal() phantom SecurityAssociation.getPrincipal().getClass() class XXX.security.UserPrincipal SecurityAssociation.getSubject() Subject: Principal: phantom Principal: Roles(members:all(members),administrators(members),phantom,administrators(members)) doAs internal: SecurityAssociation.getPrincipal() phantom SecurityAssociation.getPrincipal().getClass() class XXX.security.UserPrincipal SecurityAssociation.getSubject() Subject: Principal: phantom Principal: Roles(members:all(members),administrators(members),phantom,administrators(members)) Curent sycurity: request.getUserPrincipal() phantom SecurityAssociation.getPrincipal() phantom SecurityAssociation.getPrincipal().getClass() class XXX.security.UserPrincipal SecurityAssociation.getSubject() Subject: Principal: phantom Principal: Roles(members:all(members),administrators(members),phantom,administrators(members)) doAsPrincipal SecurityAssociation.getPrincipal() phantom SecurityAssociation.getPrincipal().getClass() class XXX.security.UserPrincipal SecurityAssociation.getSubject() Subject: Principal: phantom Principal: Roles(members:all(members),administrators(members),phantom,administrators(members))
where XXX - mypackages and my custom user principal and "phantom" my user principal which i used to logon to the system.
And as you can see: doAs didn't effect SecurityAssociation!!! Please help me! I need in doAs because we store users paramters by entity EJB and I need to have access to this EJBs from LoginModule and I think to use "internal" user to resolve this problem! Also we need to use SecurityAssociation because in our code a lot of simple java classes (not EJB or JSP pages) where we use user principals.