1 Reply Latest reply on Jul 18, 2005 4:10 AM by Thomas Cherel

    Accessing Roles from a Client Application

    Eric Bonnett Newbie

      I'm working on a suite of status and control applications for embedded devices based on JBoss. I want to leverage as much of the built-in security framework as I can. But, I'm having a hard time getting my mind wrapped around the capabilities. I've read the security section in "JBoss 4.0, the Official Guide." And I've played with example 2 in that chapter. On my first read, I thought that the Principal object in the LoginContext in my client would be updated with the information retrieved on the server side by the LoginModule. Specifically, I'd like to be able to query the LoginContext in my client after authentication to retrieve the user's Roles. But, after hacking example 2 a bit, it doesn't look like the client side LoginContext is being updated from the server side. I assume that would happen in a stand-alone JAAS application? But, JBoss hasn't fully implemented that functionality in the client\server architecture? This is unfortunate. In my client applications I want to be able to limit the user's choices in the UI to prevent them from requesting operations they don't have access to. For example, I may have admin users and normal operators. So, I wouldn't want my operators to see a bunch of widgets for admin functions. I'll need the user's list of Roles in the client for this. So, it would be ideal if the Principal in the client's LoginContext were updated with the information gathered by the server-side LoginModule. Is this supposed to happen and I just have a configuration problem? If this feature just isn't implemented, any thoughts towards implementing it some day? I have a few thoughts about a work-around to get what I need. Basically, I'll just have to publish a method from an EJB on the server to retrieve the Roles manually. But, I just wanted to check to make sure I'm not missing something before I go down that road.

      Thanks in advance for any help or suggestions.


        • 1. Re: Accessing Roles from a Client Application
          Thomas Cherel Novice

          You are correct, the client side Subject is not updated to be in "synch" with the server side Subject.
          But there is nothing in JAAS and in the J2EE spec that is saying that it should be.
          For example, WebSphere and WebLogic (I believe) are also not providing such mechanism.
          In all three app server, the client side subject/login context is merly a mechanism to collect user credentials and setup the client security context that will be propagated to the server at each remote invocation (so the server side knows in which context - with which subject/principal - the remote call is made).

          Your best option is to implement what you suggested (a method from an EJB on the server to retrieve roles manually).