4 Replies Latest reply on Oct 8, 2004 11:59 AM by Subri Shastry

    JBoss Wrapper for Subject.DoAs

    Subri Shastry Newbie

      I am very new to JBoss. We are a Weblogic ship. We use JAAS and want to use Custom Login. I have the documentation on Custom Login.
      My questions are
      1. Which is the wrapper class in JBoss that takes an input Subject that I would get from the LoginContext.login().getSubject() and do a runAs().
      2. For a Web client should I save the Subject in the HttpSession or will JBoss, like Weblogic provide helper methods. Websphere does not provide one.
      3. If I call RunAs or DoAs in the JBoss Wrapper class after a Login(we are using JAAS), should I also call the JBoss Wrapper class.RunAs or DoAs on the Subject?
      Thanks
      Subri

        • 1. Re: JBoss Wrapper for Subject.DoAs
          Scott Stark Master

          Subject.doAs(...) means nothing special to jboss. Just doing the JAAS login with the org.jboss.security.ClientLoginModule enables the association of the authenticated Subject with the caller context. Read the JAAS howto in the user forum to get an overview of how security works in jboss. This post has been moved to that forum.

          • 2. Re: JBoss Wrapper for Subject.DoAs
            Subri Shastry Newbie

            Thanks Scott, I 2 questions
            1. I am a web client, I have 2 servlets.
            a. LoginServlet where I invoke the loginContext.login using the ClientLoginModule. This automagically creates a Subject and I need not do any doAs or RunAs and I can access any EJB.
            b. I have viewOtherScreens Servlet which handles request from client for other screens.
            Obviously I do not want to call login() again but want to access the EJB. I may use a pool of threads and hence the login thread may be t1 and now I am in t2 when I went to viewOtherScreens.
            Now question: How does JBoss get my Subject that was authenticated?

            • 3. Re: JBoss Wrapper for Subject.DoAs
              Scott Stark Master

              If the web page is secured then the identity will automatically be used for accessing ejbs. Otherwise, you have to establish the identity via a JAAS login.

              • 4. Re: JBoss Wrapper for Subject.DoAs
                Subri Shastry Newbie

                >>Otherwise, you have to establish the identity via a JAAS login

                Unfortunately we are not using secured access but http. I am not clear what will it take to establish the identity via a JAAS login and propogate that to the JBoss server. Does this mean call login() in each Servlet?