0 Replies Latest reply on Aug 12, 2013 8:07 AM by Rainer Menzner

    JBoss AS 7: How to get Subject in an MBean call implementation?

    Rainer Menzner Newbie

      Dear everyone,

       

      our Enterprise application contains a number MBean interfaces which we would like to secure. The MBean interfaces are registered explicitly at the Platform MBean Server so that they are available at the JConsole. We dop not use a JBoss Service Archive (SAR) deployment.  In order to start JConsole I'm using the script delivered with JBoss (which extends the class path for authentication). The JBoss Management interface in standalone.xml is linked to a custom Security Realm, which in turn refers to a custom Security Domain. This Security Domain's JAAS Login is also custom.

       

      When connecting with the JConsole to the JBoss JVM, authentication at our custom Security Domain properly works: Users declared in our domain can connect to the JBoss Management API whereas for others access is denied.

       

      In the MBean methods implementation we need to perform authorization and hence we need a JAAS Subject. In the JBoss Security FAQ I found the following recommendation:

       

      import javax.security.auth.Subject;
      import javax.security.jacc.PolicyContext;
      import javax.security.jacc.PolicyContextException;
      ...
         /** The JACC PolicyContext key for the current Subject */
         private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
      ...
               Subject caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);

       

      After some experiments it seems that the caller Subject is always null, even though our Security Domain is definitely used for authentication when the connection to the MBean is established.

       

      Can you possibly point to me to some documentation that explains how to achieve obtaining the authenticated Subject? It seems to me that the above recommendation is no longer valid for JBoss 7.

       

      Otherwise, I would appreciate any feedback or shared experiences.

       

      Thanks and best regards,

      -Rainer