-
1. Re: Type of Principals: Roles, CallerPrincipal?
Well I have another related question.
It's possible to inject SessionContext and call getCallerPrincipal(). This way a EJB3 SLSB can find who is calling the method.@Resource javax.ejb.SessionContext ctx;
So,
If we defined an application-policy for each of our web modules (and also defined security-domain in jboss-web.xml) and want to make a programmatic decision in our SLSBs, how can we learn which securityDomain we're in?
To be implemented example:<application-policy name="evrim"> ... </application-policy> <application-policy name="aycan"> ... </application-policy>
@Stateless @Local( { CoreService.class }) public class CoreServiceBean { public void decide() { /* do only for evrim */ // if ("evrim".equals(securityDomain.toString)) { // doPrivilegedWork // } else { // throw new SecurityException(); // } } } -
2. Re: Type of Principals: Roles, CallerPrincipal?
Hi,
CallerPrincipals are seemed to same as ejb3 spec says in chapter 16.
Lets assume we've got three security domains,for web app 1: java:/jaas/war1, for web app 2: java:/jaas/war2, for slsb's : java:/jaas/ear
each of them has login-modules loading roles X, Y and also, jaas/war1security domain login module loads CallerPrincipal as war1 like jaas/war2 does as war2.
Now, i'm logging in to webapp1, my login module loads my username as usernameprincipal, war1 as callerprincipal. Also now i have roles X, Y.
Then i sign to webapp2 as the same user, now my login module does the same thing but loads war2 as callerPrincipal.
finally if everything goes correct(sigh) war1 servlet calls my slsb beans methods.
Question is, does javax.ejb.SessionContext.getCallerPrincipal() will return 'war1'?
Do this method allows us to distinguish two webapp's from each other?
We'r considering to use single-sign-on. What will be callerprincipal if sessions are replicated across several webapps? -
3. Re: Type of Principals: Roles, CallerPrincipal?
ok. i've made some research about sso and try to use SSO with tomcat's valve. (not the clustered one)
Tomcat valve documentation summarizes properties, and requireReauthentication property is:
requireReauthentication
Default false. Flag to determine whether each request needs to be reauthenticated to the security Realm. If "true", this Valve uses cached security credentials (username and password) to reauthenticate to the Realm each request associated with an SSO session. If "false", the Valve can itself authenticate requests based on the presence of a valid SSO cookie, without rechecking with the Realm.
This property is very interesting for our purposes, it seems that if two webapp lay in the same engine, session can be replicated and when host is changed, valve can do reauthentication.
Since i'm considering to change CallerPrincipal across domains this can make my idea work unless it does re-authentication if user goes back to the previous domain.
On the one hand, i've seen josso for jboss. I seems it does sso with security-domain distinctiong. Unfortunaltely, i'm not favoring using an external authentication mechanism.
Need to try first, 0xff, that gonna hurt my brain:( -
4. Re: Type of Principals: Roles, CallerPrincipal?
Hi,
After several hours of "Live and Learn" session, we've failed. I'm summarizing:
We've loaded correct Roles and CallerPrincipal succesfully to webapp1 inside security-domain java:/jaas/webapp1. But when it calls any ejb, ejb security-domain (java:/jaas/ear) re-authenticates. And since ears' login-module has no domain information about caller, it dismissed previous roles,rolegroups.
As a result, it seems jboss security-domain is not useful this time. We couldn't made our ejb's to distinguish two webapp callers.