-
1. Re: how to enable IdentityTrust for ejbs?
duane3 Jun 24, 2010 2:09 AM (in response to duane3)Here is the background:
We need develop a runas API on JBoss, which accepts a user name as input:
SubjectSecurity.executeAs(String username, PrivilegedAction<T>action);
There is no such API on JBoss so we decide to create it ourselves.
In the method above, we construct a JBoss subject based on the user name, create a new security context and set it as current security context, and save the subject in current security context.
Now comes the problem: on accessing a secure ejb from the passed in PrivilegedAction object, authorization fails. I specified role mapping in jboss.xml (see http://community.jboss.org/wiki/MappingRolesinJBossApplicationServerv5x) and the role was granted to access the ejb in ejb-jar.xml.
I checked JBoss's source code. On accessing ejb, before authorization, JBoss will validate current security context first. The security context is validated like this:
isValid = validate current security context using current identity trust manager;
if (!isValid) {
invoke JAAS login(principal from current security context, credential from current security context);
}
For ejbs, current identity trust manager is always null because by default the IdentityTrust feature is disabled in JNDIBasedSecurityManagement. So isValid is false. There is no credential in current security context, and so JAAS login fails, too.
I have two approaches:
approach 1: implement a custom identity trust module to validate the security context
approach 2: save the credential in the security context
Approach 2 is simpler. However, as there is no credential/password from the user's input, I need fetching credential from identity stores (usually LDAP servers). For some types of LDAP servers, fetching users' credentials is forbidden.
So approach 1 is the only choice.
Now the problem is the IdentityTrust feature is disabled by default in JNDIBasedSecurityManagement which is used in ejbs and it looks to me there is no way to enable it.