Cascading authentication
nlmarco Dec 30, 2004 12:33 AMHello *,
JBoss is really great, but I still got a problem:
After hours of analyzing the sources and stepping through them, I figured pretty much out how JBoss manages authentication. I was able to write an own Interceptor and an own LoginModule. Now, nearly all works as it should, but I don't know how to get some information from the InitialContext properties HashMap into the InvocationContext HashMap. Do I need to inherit the ProxyFactory or overwrite the NamingContextFactory or is there an easier way? Please give me a hint.
Or am I maybe completely on the wrong way?
Here's my scenario: A user logs in to a server and calls a SessionBean's method. This method should be able to login to a different server (or sometimes the same), but with a different user name and a different password. In the next bean method another delegation can happen. Thus, I need a cascading authentication.
I first thought, JBoss would do that already, but unfortunately, it doesn't: If I simply work with a LoginContext, it doesn't do what I need:
class ABean { public delegateToB() { LoginContext lc = new LoginContext( "myApp", new UsernamePasswordHandler( userDescriptor.userName, userDescriptor.password.toCharArray())); lc.login(); B b = BUtil.getHome(getProperties()).create(); b.doAsDifferentUser(); b.remove(); lc.logout(); C c = CUtil.getHome().create(); c.doAsOriginalUser(); c.remove(); } }
In this example, I cannot work with the "C" bean anymore, because I'm not authenticated. And if I omit the lc.logout(), it tries to execute c.doAsOriginalUser with the wrong user (the one for B).
After some time I found out that JBoss manages only one current principal in the current thread using SecurityAssociation. Thus, I wrote a client interceptor which creates an additional thread, performs the authentication on the new thread and invokes the other interceptors there. This works fine, but the problem now is that I don't know in the interceptor as which user I should disguise. I saw that there is a Map in InvocationContext and I wonder how I can transfer this information from my InitialContextFactory (the factory knows to which server it should connect as which user) to the interceptor.
I hope that this posting is understandable even though it's already very late and I'm really tired [;)]
Please help!
Best regards, Marco [;)]