1 Reply Latest reply on Sep 24, 2003 4:46 AM by Juha Lindfors

    JBossSX / JAAS - Authorization

    Jochen Kressin Newbie

      Hi *,

      after reading the doco and doing some examples, I came to the conclusion that it is not easily possible to use standard JAAS authorization mechanisms with the Standard - JBoss loginmodules. Heres the point:

      I started with the UserRolesLoginModule. I created the user.properties and roles.properties and assigned a particular user some roles. The login succeeds and I can fetch the Subject from the LoginContext. Good.
      Now I want to use JAAS authorization mechanisms to check the subjects permissions. I create Permission - classes, policy files and all that. I then invoke Subject.doAsPrivileged as described in all JAAS - Tutorials. The policy file is read, the permission classes instantiated and the checking of the permissions starts as normal.

      Now comes the point:
      JBoss by default puts one principal in the subject which contains the username, and then a java.security.acl.Group which holds all roles (=Principals in JAAS terminology) I defined in roles.properties. BUT: it is not working, because Standard - JAAS does not expect anything like java.security.acl.Group and does not iterate over the Principals contained in the group, so it does not find the roles I defined in roles.properties and every authorization fails. Heres the snipplet from javax.security.auth.SubjectDomainCombiner which associates Principals with SecurityDomains:

      principalSet = subject.getPrincipals();
      principals = (Principal[])principalSet.toArray

      So obviously the way JBoss organizes the Principals does not fit properly in standard JAAS and I cannot use JAAS based authorization so easy. I know that my code should be alright, because if I grant the permission to the name of the user (which is in fact the first principle JBoss puts in the subject) rather than to one of its roles, access is granted as expected.

      I think there are ways to overcome this problem, but I would really appreciate to get some feedback from the community to see if someone was dealing with this problem before, if there is any known solution or if am completey wrong with my thoughts.

      Thank you for your feedback,

      Jochen