-
1. Re: Authenticated pricipal not forwarded to unsecured web re
juha Sep 26, 2003 8:56 AM (in response to aparaapara)You're going to have to do it programmatically, for instance use a http session to share the principal with unsecured pages.
-- Juha -
2. Re: Authenticated pricipal not forwarded to unsecured web re
aparaapara Sep 26, 2003 11:58 AM (in response to aparaapara)It does not really end there, I need to have the principal forward to my EJB layer in the same fashion that it does today with Authenticated user.
It would be nice, if I could write some sort of an inteceptor to do this, and then configure my web container to use the new interceptor. I would image that in the interceptor I could read the principal and if it's not null store it in the session. From then on, if the principal is null and storedPricipal is not null I could configure some "Login Context" with my storedPrincipal and make the whole thing "invisible" to the web.
Now, I am just not sure how to do this. Is above possible? Could someone provide some details as to what I should look at to do this?
Thanks.
-AP_ -
3. Re: Authenticated pricipal not forwarded to unsecured web re
juha Sep 26, 2003 12:03 PM (in response to aparaapara)Servlet filters are the equivalents of interceptors. They're defined in the servlet spec.
-- Juha -
4. Re: Authenticated pricipal not forwarded to unsecured web re
aparaapara Sep 26, 2003 3:27 PM (in response to aparaapara)So using a filter, what would be the basic steps to getting this user into the "context" so that it gets passed to the EJB layer? I don't need the code, just basic idea?
Thanks for your help.
-AP_ -
5. Re: Authenticated pricipal not forwarded to unsecured web re
juha Sep 27, 2003 7:48 AM (in response to aparaapara)In the filter you'd need to do a programmatic login with the username and password that you have stored in the session, either using JAAS login context or accessing JBoss SecurityAssociation directly.
-- Juha -
6. Re: Authenticated pricipal not forwarded to unsecured web re
aparaapara Sep 27, 2003 9:32 AM (in response to aparaapara)The original problem is that I am already logged in and the security context is not being passed to my WEB pages and EJB(s) when I hit a page which is not secured (public page).
Will doing another login with the JAAS login context or JBOSS SecurityAssociation overcome this problem?
Will the security context be somehow passed to the WEB/EJB layer if I login for the second time in the filter?
-AP_ -
7. Re: Authenticated pricipal not forwarded to unsecured web re
juha Sep 27, 2003 2:40 PM (in response to aparaapara)No.
The only way to access the security context in a non-secured URL is to pass it explicitly through HTTP session.
-- Juha -
8. Re: Authenticated pricipal not forwarded to unsecured web re
aparaapara Sep 27, 2003 3:59 PM (in response to aparaapara)I guess this means that I have to modify all my session/entity beans to explicitly accept a caller object on all the API calls, since entityContext.getCallerPrincipal() will not work for me when authenticated user is trying to access a public web resource which then calls down to my ejb?
I was hoping not having to do such a drastic re-write of all the API(s). This means that ALL the methods needs to take a caller and always pass it around.
Do you know where is the code which makes a decision if the Principal needs to be passed or not? Perhaps, I can just make a local mod to that code to always pass a principal if there is one?
Thanks for all your help.
-AP_ -
9. Re: Authenticated pricipal not forwarded to unsecured web re
juha Sep 30, 2003 4:47 AM (in response to aparaapara)I haven't looked into the code to see which part applies to passing the principal to unsecured context. From all the previous discussions it appears that the servlet specification leaves it unclear whether the principal should be passed in the first place.
One option would be to consider a dev.support contract and have scott stark do the modification for you. He has looked into the issue previously and would be able to give you more help.
-- Juha -
10. Re: Authenticated pricipal not forwarded to unsecured web re
aparaapara Sep 30, 2003 8:20 AM (in response to aparaapara)I looked at the code. It seems that there is a Valve called JbossSecurityMgrRealm which actually does the authentication via the authenticate() method. There, if the user/password combinations match it uses SecurityAssociation.setPrincipal()/setCredential to configure the "context" which is then used for EJB calls.
The problem is that AuthenticatorBase on which BasicAuthenticator (which calls on the JBossSecurityMgrRealm) is defined, does not call the authenticate method, if the resource is not protected.
Presumably, this was done to optimize the operations. Technically, authentication occurs at every user request, so doing authentication for non-protected pages would seem like a waste of time. Without authenticate() being called, the request is NOT authenticated, thus the SecurityAssociation stuff is not being called and you got a problem of null Principal on unprotected pages.
One way to "transparently" fix this problem is to create a Tomcat Valve, which would always attempt do authenticate. In those case when the user is accessing the protected pages, however, authentication would occur twice.
The other way, is to modify Tomcat code, but I don't feel comfortable doing this yet.
-AP_
However, this method is