-
1. Re: Problem with Realms login module and custom principal
lost_traveller,
If all you want is to have a custom principal associated with a Subject, you seem to be doing an awful lot of unecessary work. Doesn't http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith supply what you need?
cgriffith -
2. Re: Problem with Realms login module and custom principal
Yeah that works great if you arn't using a realm, however the JBossSecurityMgrRealm creates an instance of SimplePrincipal which is then returned by sessionContext.getCallerPrincipal() inside the EJB's.
So it would appear that LoginModule.login() creates the Principal which goes in the HttpServletRequest.getUserPrincipal(), which is fine; and the realm creates the Principal which goes into the EJB layer. How do I get the Principal in LoginModule.login() to go to the EJB layer?
All I want is one instance of MyPrincipal() to be created and this single instance to be returned by both HttpServletRequest.getUserPrincipal() and javax.ejb.SessionContext.getCallerPrincipal().
Thanks again. -
3. Re: Problem with Realms login module and custom principal
Further to this, it would appear someone else had the same problem:
I think I have found why the principal is not propagated. The SessionAssociationValve, that is supposed to propagate the principal from the Web tier to the EJB tier checks the type of the principal and only sets it on the security association if the principal is a JBossGenericPrincipal
see http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897413 -
4. Re: Problem with Realms login module and custom principal
As far as I can tell, If you follow the JBoss server guide chapter 8 as I already recommended [/url]http://www.jboss.com/index.html?module=bb&op=viewtopic&t=83053 and the wiki already mentioned, you can use a custom principal as "CallerPrincipal". You do not need to implement your own login module, realm, or callback handler. Have you done this? If so please post some TRACE logging of where this is not working as expected. thanks, cgriffith
-
5. Re: Problem with Realms login module and custom principal
Finally! I've spent 2 weeks trying to get this security with a custom principal working and it finally appears to be working!
That was the break i needed, I did a search and it would appear "CallerPrincipal" is some kind of internal static variable, the clue was here:The CallerPrincipal role set consists of the Principal identity assigned to the user in the application domain. It is used by the EJBContext.getCallerPrincipal() method to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipal role set then the application identity is that of the operational environment identity.
see http://www.huihoo.com/jboss/online_manual/3.0/ch09s17.html
So the reason why EJBContext.getCallerPrincipal() was returning the SimplePrincipal (the operational environment identity) that was created by JBossSecurityMgrRealm was because MyLoginModule was not adding the Principal to a Group called "CallerPrincipal".
The solution was to flip the realm back to the JBossSecurityMgrRealm and use my own login module which extends UsernamePasswordLoginModule and returns the identity in a group called caller principal, i.e.public class MyLoginModule extends UsernamePasswordLoginModule { private Principal identity; public boolean login() throws LoginException { ... identity = new MyPrincipal(username); ... } public Group[] getRoleSets() { SimpleGroup callerPrincipal = new SimpleGroup("CallerPrincipal"); callerPrincipal.addMember(identity); return new Group[]{ callerPrincipal }; } }
So the Principal created in the LoginModule is not returned by both HttpServletRequest.getUserPrincipal() and EJBContext.getCallerPrincipal() .
Thanks for all your help, hope this can help someonelse one day.