Problem solved. I had to modify the Commit method of my login module as follows:
TestGroup roles = new TestGroup("Roles");
TestPrincipal user = new TestPrincipal(username);
Was I blind that I've never seen the need for the first line? It seemd to me that all materials only stated to have the role added as a principal to the subject's principals.
Is the above based on standard j2ee or this is jboss specific?
I'm trying to create a custom Principal too.
I must simply:
1) write my new principal that implements Principal and java.io.Serializable
2) override the AbstractServerLoginModule's commit() method in my new LoginModule with the lines specify in your post
Right? Other steps needed? I must create a Group class too?
Thanks fo any help!
Yes, in order to make jboss aware of the role, that was the only solution I could use. TheTestGroup class used in the example is a user class, so yes, you will have to code one too.
However, now I'm going further and I'd like to use the roles in struts but it does not recognize them.
I've checked the request.isUserInRole method and it returns false.
Could someone from jboss comment on this? I mean, is it how it should be? Jboss is able to verify my credentials but the request does not know about it?
I'd like to write (maybe with someone with more knowledge) a "Custom Principal HOWTO"...
There are no requirements for the Subject defined in the J2EE specs. We have defined our Subject usage pattern in the online devel guide. The custom principal usage is illustated in the JBossSX wiki section:
answers the question about struts and about request.isUserInRole
I'm still hesitant to believe that the roles has to be attached to a group that is specifically called "Roles"
If anybody could point to any JAAS/J2EE standards on this, I would very much appriciate.
Thanks Scott, I only saw your reply after posting mine.
Based on the reference, the way I read it, the requirement to specify roles
"Group roles = new SimpleGroup("Roles");"
is jboss specific.
There is no standard that defines how to use a JAAS Subject for authorization prior to J2EE 1.4 so jboss defined a mechanism that uses a java.security.acl.Group named 'Roles' as the location for the declarative roles. J2EE 1.4 defines a new JACC permission based contract for specifying how to delegate the authorization checks. Support for this exists in jboss-4.0.x.
J2EE 1.4 defines a new JACC permission based contract for specifying how to delegate the authorization checks. Support for this exists in jboss-4.0.x.
How does one use this? I've read all I can find about JACC (the spec, the JBoss wiki, etc.), but I'm still frankly nonplussed.