Two ways immediately come to mind(assuming you are using Tomcat)...
1.) per servlet spec, call HttpServletRequest's getUserPrincipal() method which if using Tomcat, will be an instance of org.apache.catalina.realm.GenericPrincipal principal. This class has a public String getRoles() method that will give you the roles.
2.) another and in my opinion a better way, is to set the SecurityAssociationValves's subjectAttributeName parameter which will store the authenticated subject in the session under the configured name. Then you only need to get subject from HttpSession.
let me know if I have not been clear enough, cgriffith
Well the problem persists...
I'm using standard installation of JBoss 4.0.3 EJB3 version. I didn't change anything about the container.
Using the first option:
request.getUserPrincipal() returned org.jboss.security.SimplePrincipal and this class doesn't supply me with getRoles() method.
I'm quite confused about the second option though I'm interested in storing the subject data in the session rather than in the request - but still I can't understand how to do it...I'd like to have the subject stored in the HttpSession object and later on retreive the subject's principals and credentials...
Oh yes, I forgot. The CustomPrincipalValve will replace the principal stored in the request with the "CallerPrincipal" added to authenticated subject.
In that case, option 2 sounds better. Look at...
In this xml file you will find a setting called "SubjectAttributeName".
Let me know if you still can not get this going...
You made my day with your solution 2 :-) Thank you very much.
I am a bit unsure about the best way to put principals like email-address etc. into the subject. Chapter 8.4.7 of the JBoss 4.03 documentation says that "User identities (username, social security number, ...) are stored as Principal objects in the Subject Principals set".
The challenge with Principals like org.jboss.security.SimplePrincipal is, that there is no key for the type of the user identity. Therefore I made my own class "ValuePrincipal", which has both the default name field and a new field "value". I use the name field as a key.
So I store a new ValueObject("email", "email@example.com") in the principals set. The I can retrieve my email among all Prinicpals via a key.
Is this the way to do it? Or is there another "key"-concept?
Certainly your method of storing the email will work fine. I prefer to use custom Principals that have meaning by themselves. This is OOD. That is to say, If you create an EmailPrincipal class then you design will be cleaner by looking for the EmailPrincipal principal in the principal set.
Just my $.02. Enjoy and glad I could point you in the right direction,