2 Replies Latest reply on Dec 14, 2004 6:05 PM by tcherel

Subject vs. Principal in a session bean method

tcherel Dec 9, 2004 1:21 PM

As I am workign on some JAAS login modules, I realized that I am spending a lot of time building a complete Subject with a bunch of principal attached to it to represent all the aspect of the user being authenticated.

Ideally, I'd like to access all those details in my EJB session bean code to do finer grained security checks (or even single sign-on to external resources).

The problem is that with my EJB session bean code, I can only access one Principal (through the EJBContext), not the complete Subject that was built at authentication time.

The different options that I can see are as follow:

1) Do something like Subject.getSubject (AccessController.getContext()) in the session bean code to get the subject. It assumes that the app server is calling the bean code with a doAs operation, which, I do not think is the case with JBoss, even if running under a java security manager.

2) Create my own Principal class or may be a Group class that is used in my login module to create the CallerPrincipal. Such class could then have all the information that I might need in my code.

3) Some kind of other mechanism to access the authenticated subject for each request.

Any suggestions/ideas on the best way to do that?

Thanks.

Thomas

1. Re: Subject vs. Principal in a session bean method

starksm64 Dec 14, 2004 1:14 AM (in response to tcherel)

Use a custom security interceptor to establish the Subject with the thread via the Subject.doAs() call.
Actions
2. Re: Subject vs. Principal in a session bean method

tcherel Dec 14, 2004 6:05 PM (in response to tcherel)

Ok. Thanks for the answer.

Thomas
Actions

Go to original post