3 Replies Latest reply on Mar 30, 2004 11:09 AM by Scott Stark

    Can tomcat authenticated Subject be reused in JBoss EJB call

    neilthorne Newbie

      Hi,

      I have tomcat running standalone and performing authentication using a custom LoginModule.

      The module implementation currently creates an InitialContect object using the username and password supplied to the LoginModule.

      The initial context is then used to look up and call some Realm protected beans in a WLS instance.

      This propogates the user name and password information to my target remote Realm and allows me to reuse this realm for access to web resources - albeit rather awkwardly.

      Moreover I have a big problem when the web container makes subsequent requests - I only have access to the user's username, and I cannot create another InitialContext based on this user.

      Currently all the usernames and passwords are the same to get around this problem!

      What I need to do is somehow store away the InitialContext against the session.

      That way whenever I need to lookup EJBs in JNDI on behalf of a session I can always get at an appropriate InitialContext to do the job.

      Now I'm migrating over to JBoss, I'm trying to find a better way.

      I can't help thinking that if I've done the job of authenticating a Subject based on a Realm in the app server, there should be someway of reusing that Subject via a web session to a access tha app server's resources. But how?

      This seems like a common requirement to me.

      You want to set up one Realm to define your users groups and roles, in one place.

      You want to use the LoginModule to provide a Subject which can be used in calls to protected web and ejb tier resources.

      I've seen posts about setting up single sign on for tomcat hosted in JBoss. Can this be achieved with and external tomcat instance?

      thanks for any help..

      Neil

        • 1. Re: Can tomcat authenticated Subject be reused in JBoss EJB
          Scott Stark Master

          Look at the org.jboss.web.tomcat.security.JBossSecurityMgrRealm to see how its done with the embedded version.

          • 2. Re: Can tomcat authenticated Subject be reused in JBoss EJB
            neilthorne Newbie

            Thanks for the bootstrap. I've looked around the classes involved and from what I understand of the code....

            I noticed that during the overriden authenticate method on JBossSecurityMgrRealm the Subject created by the LoginContext instance is stored in a SecurityAssociation ThreadLocal instance - I was wondering what became of this Subject?

            I also notice that JBossSecurityMgrRealm also supports tomcat Valve interface (not too sure about Valves but my understanding is they are an interception framework for request/response pipeline).

            My guess it that at some point later, the same thread that had a Subject stored in the SecurityAssociation from the authenticate call also calls the invoke method on the pipeline?

            Is this how the "active" subject for this request is retrieved from SecurityAssociation?

            If the above is true then I can see that the active subject is then stored in the request object. But that will only have a lifetime of the request - so is there a filter or some other interception point where the subject is taken from the request and put in the user's web session?

            If not, how is the authenticated Subject maintained between requests from tomcat?

            • 3. Re: Can tomcat authenticated Subject be reused in JBoss EJB
              Scott Stark Master

              The subject of the http request is obtained from thread local of the SecurityAssociation and added to the ejb request for propagation to the ejb container. This is done by the SecurityInterceptor in the ejb proxy. There is no maintence of the Subject between requests. The caller is authenticated every time and associated with the thread when the request comes in, and cleared on completion of the request.