5 Replies Latest reply on May 26, 2005 2:20 PM by nmuralid

    JAAS Subject Based Authorization

    nmuralid
    nmuralid May 20, 2005 9:29 AM

      My application does Subject-based JAAS authorization calls in a standard way (Subject.doAsPriv + checkPermission). I'm looking at porting such an application into JBoss

      What APIs must I use to get hold of the current Subject in an EJB / WebApp?

      Is there any configuration using which the Subject may be set in the current AccessControlContext by the container? (I'd like my App to be AppServer- agnostic as far as possible)

      Thanks,
      Nitya

      • 2129 Views
      • Tags:
        • 1. Re: JAAS Subject Based Authorization
          nmuralid
          nmuralid May 23, 2005 5:01 AM (in response to nmuralid)

          Looks like setting "SubjectAttributeName" works for a Servlet, is there something similar for EJBs?

            • Actions
          • 2. Re: JAAS Subject Based Authorization
            juha May 25, 2005 2:51 PM (in response to nmuralid)

            You should be able to look up the current active Subject from an EJB's private name space, look under java:comp with JNDIView for a secured EJB.

              • Actions
            • 3. Re: JAAS Subject Based Authorization
              nmuralid
              nmuralid May 25, 2005 6:45 PM (in response to nmuralid)

              Thanks for the reply

              I tried this using chap8-ex2 from the JBoss Guide. JNDIView only shows me the following

              ======================================
              java:comp namespace of the EchoBean2 bean:

              +- env (class: org.jnp.interfaces.NamingContext)
              | +- security (class: org.jnp.interfaces.NamingContext)
              | | +- subject[link -> java:/jaas/chap8-ex2/subject] (class: javax.naming.LinkRef)
              | | +- security-domain[link -> java:/jaas/chap8-ex2] (class: javax.naming.LinkRef)
              =========================================

              If I try
              InitialContext iniCtx2 = new InitialContext();
              Object ref2 = iniCtx2.lookup("java:/jaas/chap8-ex2/subject");

              I get a "jaas not bound" exception.

              If I deploy without any security-domain, JNDIView just brings up the EJB without any Subject references :

              ========================
              java:comp namespace of the EchoBean2 bean:

              +- env (class: org.jnp.interfaces.NamingContext)
              ==============================

              What am I missing here ?

              Thanks

                • Actions
              • 4. Re: JAAS Subject Based Authorization
                juha May 25, 2005 7:26 PM (in response to nmuralid)

                 

                "nmuralid" wrote:

                What am I missing here ?


                The correct lookup name, "java:comp/env/security/subject" ?



                  • Actions
                • 5. Re: JAAS Subject Based Authorization
                  nmuralid
                  nmuralid May 26, 2005 2:20 PM (in response to nmuralid)

                  Get the following exception

                  [java] Exception in thread "main" javax.naming.NameNotFoundException: comp not bound
                  [java] at org.jnp.server.NamingServer.getBinding(NamingServer.java:491)
                  [java] at org.jnp.server.NamingServer.getBinding(NamingServer.java:499)


                  Btw, I'm trying this on JBoss 4.0.1 on linux with the default server configuration.

                  How do I get this to work? Is there a different set of examples I could try?

                  Thanks,

                    • Actions