5 Replies Latest reply on May 26, 2005 2:20 PM by Nitya Murali

    JAAS Subject Based Authorization

    Nitya Murali Newbie

      My application does Subject-based JAAS authorization calls in a standard way (Subject.doAsPriv + checkPermission). I'm looking at porting such an application into JBoss

      What APIs must I use to get hold of the current Subject in an EJB / WebApp?

      Is there any configuration using which the Subject may be set in the current AccessControlContext by the container? (I'd like my App to be AppServer- agnostic as far as possible)

      Thanks,
      Nitya

        • 1. Re: JAAS Subject Based Authorization
          Nitya Murali Newbie

          Looks like setting "SubjectAttributeName" works for a Servlet, is there something similar for EJBs?

          • 2. Re: JAAS Subject Based Authorization
            Juha Lindfors Master

            You should be able to look up the current active Subject from an EJB's private name space, look under java:comp with JNDIView for a secured EJB.

            • 3. Re: JAAS Subject Based Authorization
              Nitya Murali Newbie

              Thanks for the reply

              I tried this using chap8-ex2 from the JBoss Guide. JNDIView only shows me the following

              ======================================
              java:comp namespace of the EchoBean2 bean:

              +- env (class: org.jnp.interfaces.NamingContext)
              | +- security (class: org.jnp.interfaces.NamingContext)
              | | +- subject[link -> java:/jaas/chap8-ex2/subject] (class: javax.naming.LinkRef)
              | | +- security-domain[link -> java:/jaas/chap8-ex2] (class: javax.naming.LinkRef)
              =========================================

              If I try
              InitialContext iniCtx2 = new InitialContext();
              Object ref2 = iniCtx2.lookup("java:/jaas/chap8-ex2/subject");

              I get a "jaas not bound" exception.

              If I deploy without any security-domain, JNDIView just brings up the EJB without any Subject references :

              ========================
              java:comp namespace of the EchoBean2 bean:

              +- env (class: org.jnp.interfaces.NamingContext)
              ==============================

              What am I missing here ?

              Thanks

              • 4. Re: JAAS Subject Based Authorization
                Juha Lindfors Master

                 

                "nmuralid" wrote:

                What am I missing here ?


                The correct lookup name, "java:comp/env/security/subject" ?



                • 5. Re: JAAS Subject Based Authorization
                  Nitya Murali Newbie

                  Get the following exception

                  [java] Exception in thread "main" javax.naming.NameNotFoundException: comp not bound
                  [java] at org.jnp.server.NamingServer.getBinding(NamingServer.java:491)
                  [java] at org.jnp.server.NamingServer.getBinding(NamingServer.java:499)


                  Btw, I'm trying this on JBoss 4.0.1 on linux with the default server configuration.

                  How do I get this to work? Is there a different set of examples I could try?

                  Thanks,