2 Replies Latest reply on Sep 1, 2009 2:21 PM by John Ament

    Creating very simple login credentials

    John Ament Master

      So I would say I have a flustered security need. Basically, we have an SSO infrastructure, which I call "fake sso" the idea is that we trust from our main portal that the logged in user is in fact who portal is saying it is. We have no need to question to it, and it's been agreed that this is acceptable (not my choice mind you). The SSO solution doesn't work with JAAS, and essentially some data comes in the HTTP request identifying the user. I've looked at the servlet security context but in all honesty it's not going to work for us because:

      1. We need to have a different API for looking up roles (calls a stored procedure based on role name).
      2. The username isn't in the principal of the principal of the request.

      I implemented a custom security context that takes the username in the constructor and calls an EJB to do the stored proc look up of the roles. Seems to work pretty good. However, I can't seem to get my head around how to create an appropriate login context to work with this. One thing to point out is that there is no password anywhere, which is part of the point of this. The apps shouldn't have any idea what the users password is. I get a little confused seeing code like this:

      Subject subject = ...;
      final String workspaceName = ...;
      Session session = (Session) Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {
       public Session run() throws Exception {
       return repository.login(workspaceName);
       }}, AccessController.getContext());
      


      Because I don't get how to build the subject object.

        • 1. Re: Creating very simple login credentials
          Brian Carothers Apprentice

          You will need to provide a custom implementation of org.jboss.dna.graph.SecurityContext, wrap it in an instance of org.jboss.dna.jcr.SecurityContextCredentials, and pass it in to JcrRepository.login().

          The SecurityContext interface only requires the implementor to have a user name, be able to test for the presence of a role, and invalidate the SecurityContext. It sounds like you have all of those.

          I'm in between meetings, so I apologize for not compile-testing this code, but it would look something like this:

          SecurityContext ctx = /* Instantiate your object here */;
          SecurityContextCredentials creds = new SecurityContextCredentials(ctx);
          Repository repository = /* Reference to your DNA repository */;
          
          Session session = repository.login(creds);
          


          Please let us know if this approach works for you.


          • 2. Re: Creating very simple login credentials
            John Ament Master

            got it, that makes sense. I think the confusing part's that the Credentials interface defines no methods.