1 2 Previous Next 15 Replies Latest reply on Sep 26, 2013 8:11 PM by henrikdeluxe Go to original post
      • 15. Re: Re: JBoss 7.1 Final authorization with more than username and password
        henrikdeluxe
        henrikdeluxe Sep 26, 2013 8:11 PM (in response to dlofthouse)

        Hi Dennis, Hi Darren,

        thanks for your advices! If this would be my thread, i would set it solved and mark your postings as helpful.

         

        I've worked out both ideas into my dummy projects and both do what they are expected

        1. client & server interceptors
          1. login is called on first bean lookup (in order to authenticate for secured remoting connector)
            --> the loginmodule takes username and password for creating an SimplePrincipal when calling createIdentity
          2. on ejb-invocations the client side interceptor puts the custom principal into EJBClientInvocationContext
          3. server side interceptor retrieves the custom principal and manipulates the SecurityContext's subject as follows:
            final Subject subject = SecurityContextAssociation.getSecurityContext().getUtil().getSubject();
            changeCallerPrincipalFromSubject(subject, customPrincipal); // exchange SimplePrincipal and "CallerPrincipal"-Groupmember with my custom principal
          4. whenever calling EJBContext.getCallerPrincipal() in any intercepted EJB it returns my custom principal with all attributes passed by client via invocation data
            --> everthing is fine

        2. specially formatted username
          1. login is called on first bean lookup (in order to authenticate for secured remoting connector, delegated by realm to my jaas loginmodule)
            a) the loginmodule gets special constructed username and ordinary password
            b) my loginmodule overrides getUsernameAndPassword() method deconstructs the username, creates my custom principal out of these pieces and store it as member variable
            c) my loginmodule overrides createIdentity() and getIdentiy() and returns my previously stored custom principal
          2. whenever calling EJBContext.getCallerPrincipal() in any secured EJB it returns my custom principal with all attributes passed by client insde the username
            --> everything is fine

         

        Now i'm going into bed and consult my pillow. Afterwards i will decide which way i implement tomorow in my real application.

        On first sight the 2nd choice is an ugly hack but nevertheless it's less complex than using intercepors to modificate the subject's principals on every ejb invocation instead of setting them once on login procedure. From a far view the 2nd oppinion is nearly the same way i've implemented allready for my AS 5 application, except constructing/deconstructing my principal manually.

          • Actions
        1 2 Previous Next