9 Replies Latest reply on Sep 28, 2001 8:42 AM by DeepakShetty

    where does the Principal get created?

    Nathaniel Auvil Newbie


      In order to skirt the limitation of not having a three parameter login form and not being able to invoke the lc.login method from a servlet and hit other secured pages without being prompted to login again, i got feedback from Scott Stark and combine my third parameter with the username field through javascript and parse the text in custom login module.

      So, i can login in. However, if i do a request.getUserPrincipal().getName() it gives me the combined text as the output below shows:


      EJBServlet Accessed
      You have accessed this servlet as user: ssn##java
      The SecuredEJB.echo('Hello') returned: Hello
      ------------------------------------
      request.getUserPrincipal().getName()= ssn##java
      request.isUserInRole( 'echo' )= false
      request.isUserInRole( 'Echo' )= true


      I traced all the code back to the AbstractLoginModule and i do not see any principal object created with that name. Where is it coming from and can i make it just the username?

        • 1. Re: where does the Principal get created?
          William Kaufman Newbie

          The principal is created in the client login module, and propagated across the wire. Why don't you extend the client side stuff? You will have to write another Principal, since the SimplePrincipal used by ClientLoginModule holds only a single string, and yours needs to hold two - the user and ssn. The ssn could be collected by a TextInputCallback.setText() in your callback handler.

          I recall the contributed server-side code also uses a SimplePrincipal, so you'll need to make some extensions/changes there, too.

          • 2. Re: where does the Principal get created?
            Nathaniel Auvil Newbie

            > The principal is created in the client login module,
            > and propagated across the wire. Why don't you extend
            > the client side stuff? You will have to write another
            > Principal, since the SimplePrincipal used by
            > ClientLoginModule holds only a single string, and
            > yours needs to hold two - the user and ssn.

            Yeah that is what i had in mind, but after i traced through the login modules, there is no principal being created anywhere with that username (I am not using 'shared login'. What does that mean? I guess that is jboss specifc? ). I put a println in everywhere a new SimplePrincipal or new Principal gets created and nothing ever gets created with 'ssn##java'; only 'java'. Can you give it a try?


            > The ssn could be collected by a TextInputCallback.setText()in your callback handler.

            This will not work. I tried it and my login fails everytime, unless i take the line including TextInputHandler out of the code; heck nothing comes back from the container, no messages or debug statements or anything. This looks like a bug. It is unclear how the TextInputHandler would even map to a login form anyways. Maybe there should be a HTMLInputHandler class that takes the name of the field as a constructor argument. What if i had two or three or four other values on the login page? How would i distinguish between them?

            The more i see of JAAS in JBoss the more frustrated i get. I am not sure if it is just this implementation or jaas in general. It seems very inflexible.

            1) I can't manually login against the container and have resources available to me other than from the Servlet in which I did the manual login call.

            I should be able to create a login page and have it call my login servlet, do the login, and if successful, have access to any protected resource allowed to me without having to login on every request.


            2) The mapping of callbacks to the form inputs is very unclear. What does the prompt arguement do for a HTML form?











            >
            > I recall the contributed server-side code also uses a
            > SimplePrincipal, so you'll need to make some
            > extensions/changes there, too.

            • 3. Re: where does the Principal get created?
              DeepakShetty Newbie

              not sure if this is what you are looking for
              but in ClientLoginModule
              search for
              SecurityAssociation.setPrincipal(new SimplePrincipal(username));
              i think this is what gets propagated and you can change it to whatever you want
              hope this helps
              bye
              deepak

              • 4. Re: where does the Principal get created?
                Andrew Newbie

                This topic is also very interesting to me.

                Any ideas how really does SecurityAssociation propagate its static principal and credential fieds ?
                I havent found any direct references to SecurityAssociation from any of JBoss JNDI classes (where I guess they supposed to be).
                I want my own ClientLoginModule, not JBoss suplied one, so I just cant continue with Jboss security without understanding this mechanism.

                Regards,
                Andrew.

                • 5. Re: where does the Principal get created?
                  DeepakShetty Newbie

                  only three sources of info afaik
                  1. http://jboss.org/documentation/HTML/index.html chapter9
                  and the howto on jaas chapter 13
                  2. scott starks article on javaworld
                  3. and of course this newsgroup..
                  anyones looked at suns documentation on JAAS ? is it any good?
                  bye
                  deepak

                  • 6. Re: where does the Principal get created?
                    Nathaniel Auvil Newbie

                    > not sure if this is what you are looking for
                    > but in ClientLoginModule
                    > search for
                    > SecurityAssociation.setPrincipal(new
                    > SimplePrincipal(username));

                    Where is this class? I do not see it in CVS. Since it is not imported it must be in the org.jboss.security package. This means it is not portable. I thought the whole idea of using Jaas for authentication and authorization was to be portable?

                    • 7. Re: where does the Principal get created?
                      DeepakShetty Newbie

                      http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jbosssx/src/main/org/jboss/security/ is where i found this class..
                      from my limited understanding of jaas(im a vb programmer!) and from the diagram on
                      http://jboss.org/documentation/HTML/ch09s09.html fig9.6 you use the Client\auth.conf login module to bind the data which is sent to the jboss\tomcat login module..
                      bye
                      deepak

                      • 8. Re: where does the Principal get created?
                        Nathaniel Auvil Newbie

                        i dont see a 'SecurityAssociation" source there. Can you take a look?

                        • 9. Re: where does the Principal get created?
                          DeepakShetty Newbie

                          http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jboss/src/main/org/jboss/security/ is the link for the security association class
                          the link i gave was for the clientloginmodule class which is what you should be concerned with the principal is being set there with the username