3 Replies Latest reply on Mar 31, 2003 6:33 PM by Mike

    Create Principal and Roles Programmatically

    Christopher Moesel Newbie

      I am looking for a way to programmatically (within a webapp) create a Principle and associated Roles for a user and then bind them to the session (so even EJBs will now be able to get the Principal).

      Essentially, I want to leverage J2EE prinicipal and role design without needing the actual authentication mechanism. The user name will be derived from a cookie and then the principal will be created off of that.

      Is there a way to do this? Or does this go completely against J2EE design?

        • 1. Re: Create Principal and Roles Programmatically
          Claude Glauser Newbie

          Do you have a database ?

          Then you can use the
          org.jboss.security.auth.spi.DatabaseServerLoginModule (See getting started docs).

          Create a new user (in the database) with
          the info provided by your cookie and
          authenticate him.

          You can not user roles on the fly
          with declarative security
          mechanisms of ejbs.

          Hope this helps.

          • 2. Re: Create Principal and Roles Programmatically
            Christopher Moesel Newbie

            Thanks for the suggestion! We do have a database, but the idea here is that if the user has the cookie, we want to authenticate without the need of any user interaction...

            I thought about this idea but could not determine a way to access the cookie from within the login module. If you know a way, I'd be very happy if you could point me in the right direction...

            Basically, the model we're looking for is:

            - first time a user enters a webapp, prompt for username/password and authenticate against LDAP. Then store encrypted version of username in user's cookie.
            - all times after that, if the user comes to the webapp, it decrypts the username from the cookie and looks up the user's roles in the database. It then automatically authenticates the user without the need of the LDAP auth...

            The end result is a very weak security model that only requests the username/password from a user the first time they come-- all other visits are transparent.

            Thanks again for your help!

            -Chris

            • 3. Re: Create Principal and Roles Programmatically
              Mike Newbie

              If I understand you correctly, that you want to use the value of a Cookie to authenticate a user, then use those credentials in EJBs that your web tier calls, try this:

              1) In your web tier, create a LoginContext which uses the ClientLoginModule. Here you will have to create a CallbackHandler that inserts the username/password values based on the values of your Cookie.

              2) Create a security domain in your login-config.xml which uses the UserRolesLoginModule. Set up the properties file with the valid usernames/roles that will be carried by your cookie.

              3) Set up your ejb-jar.xml and jboss.xml deployment descriptors for your EJBs to use the security domain listed in step 2.

              Note that the level of authentication here is minimal -- as long as the user has a valid cookie that matches the information in the UserRolesLoginModule properties file, the invocation will pass.

              There are probably more ways to do this, but I hope this helps.