1 Reply Latest reply on May 22, 2014 12:23 PM by felipenova

    Custom principal is not propagated to ejb session context (resteasy3 + oauth)

    marcel.rovira

      Hello,

       

      I'm using resteasy 3.0.1 Final with oauth in JBoss 6.1 EAP and my custom principal class is not propagated to sessioncontext in an EJB3.
      Oauth is configured as BearerTokenAuthenticator

       

      My login-module configuration in standalone.xml to use extended login module

       

      <login-module code="es.gc.epsilon.secure.api.shared.resources.MyDatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName" value="java:jboss/datasources/EpsilonXADS"/>
      <module-option name="principalsQuery" value="select PASSWORD from EP_USER where name=?"/>
      <module-option name="rolesQuery" value="select ROLE_NAME, 'Roles' from EP_USER_ROLE where USER_NAME = ?"/>
      <module-option name="hashAlgorithm" value="MD5"/>
      <module-option name="hashEncoding" value="base64"/>
      <module-option name="unauthenticatedIdentity" value="guest"/>
      </login-module>

       

      My DatabaseServerLoginModule:


      public class MyDatabaseServerLoginModule extends DatabaseServerLoginModule {

        @Override
        protected java.security.Principal createIdentity(String username) throws Exception {

          System.out.println("createIdentity BEGIN");

          MyCustomPrincipal p = null;
          if (principalClassName == null) {
            p = new MyCustomPrincipal(username);
          } else {
            p = (MyCustomPrincipal) super.createIdentity(username);
          }

          return p;
        }
      ...

       

      My custom principal


      public class MyCustomPrincipal extends SimplePrincipal implements Serializable { 

        private static final long serialVersionUID = 1L;

        private String tenant;

        public MyCustomPrincipal(String name) {
          super(name);
          // TODO Auto-generated constructor stub
        }
      ...
       
      My oauth server configuration:

       

      jboss-web.xml
      <jboss-web>
          <security-domain>java:/jaas/jaasEpsilon</security-domain>
          <valve>
              <class-name>org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve</class-name>
          </valve>
      </jboss-web>

       

      My api rest configuration project:

       

      web.xml

      <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>jaasEpsilon</realm-name>
      </login-config>

        <security-constraint>
        <web-resource-collection>
         <web-resource-name>All resources</web-resource-name>
         <description>Protects all resources</description>
         <url-pattern>/api/secure/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
         <role-name>admin</role-name>
         <role-name>employee</role-name>
        </auth-constraint>
      </security-constraint>

          <context-param>
            <param-name>resteasy.role.based.security</param-name>
            <param-value>true</param-value>
         </context-param>
        
      jboss-deployment-structure


      <jboss-deployment-structure>
          <deployment>
              <dependencies>
                  <module name="org.jboss.resteasy.resteasy-jaxrs" services="import"/>
                  <module name="org.jboss.resteasy.resteasy-jackson-provider" services="import"/>
                  <module name="org.jboss.resteasy.skeleton-key"/>
              </dependencies>
          </deployment>
      </jboss-deployment-structure>

       

      jboss-web.xml
      <jboss-web>
          <valve>
              <class-name>org.jboss.resteasy.skeleton.key.as7.BearerTokenAuthenticatorValve</class-name>
          </valve>
      </jboss-web>

       

      From an EJB I extract principal info as

       

      @Resource(name = "sessionContext")
      private SessionContext sctx;
      ... 
      Principal principal = sctx.getCallerPrincipal();

      if (!(principal instanceof MyCustomPrincipal)) {
        System.out.println("I expected a " + MyCustomPrincipal.class.getName() + " but got a "
          + principal.getClass().getName() + " instead !!!!!!");

       

      and the result is:

      I expected a es.gc.epsilon.secure.api.shared.resources.MyCustomPrincipal but got a org.jboss.resteasy.skeleton.key.SkeletonKeyPrincipal instead

       

      Is this a bug, is there another way to retrieve the caller principal, is there any wrong configuration?

       

      Thanks.