2 Replies Latest reply on Oct 3, 2006 8:59 AM by Paul Drummond

    Rich Client Authorisation and JAAS

    Paul Drummond Newbie

      Hi,

      I am trying to learn how JBoss security and JAAS would work together within my application which will be a Rich Client communicating with EJBs in JBoss (EJB3). I am new to JavaEE so I apologise in advance if I use the wrong terminology or don't explain the problem very well. (BTW: should I be posting to the newbie forum?)

      I understand that my rich client can use JAAS to login to a JBoss application server using a LoginModule. Once the user is authenticated then it is possible to use security roles in the EJB code to ensure proper authorisation like this:

      if(ctx.isCallerInRole("admin")) {
       //access resource
      }
      

      What I also need is similar code in the Rich Client. As a simple example I want to enable a "Admin" menu if the user is in the admin role. I assume I must use JAAS directly here - doAsPriliveged() maybe? Even if doAsPrivileged() is the correct way to do it, due to the following article (http://today.java.net/pub/a/today/2006/09/14/using-jaas-in-ee-and-soa.html) I am concerned that there will be unmanageable inconsistencies.

      Given my requirements and the concerns regarding JAAS and JavaEE integration maybe a custom authorization mechanism would be better?

      At the moment, I am very confused about how JAAS and JavaEE integrate together. I would be able to answer some of these questions myself by prototyping my scenario but my company isn't at that stage yet and I need to provide some words on this! Any help would be appreciated.

      Thank you,
      Paul Drummond

        • 1. Re: Rich Client Authorisation and JAAS
          Mark P Ashworth Newbie

          Good Day,

          It is possible for rich clients to make use of JAAS on the client and on the server side to perform authentication and authorization.

          Client
          -------
          1. Use the JBoss client login module (org.jboss.security.ClientLoginModule) to collect the user name and password and to associate them with the caller.

          2. Perform a normal JAAS login

          3. Make a call to a server side EJB session bean to retrieve the roles that the current user has.

          4. Use the roles returned to enable menu items.

          Server
          --------

          1. Configure a JAAS configuration for you J2EE application and assign the login modules that will authenticate and authorize.

          2. Program the security permissions required by the session bean methods either programmatically or declaritively.

          3. Provide a method on one of the session bean methods to get the caller principal from the caller. Using this principal, retrieve the roles that the user has and return them to the client.


          CallerPrincipal
          ----------------
          There are posts (made by me) on this forum concerning how to get the CallerPrincipal to contain a principal object that can be used in the session bean for just this type of scenario.

          Acegi
          ------
          Acegi is a framework that makes security easier in SpringFramework applications. If you are using this framework then consider using the AuthorityGranter for the portion in the client that retrieves roles from the server.

          • 2. Re: Rich Client Authorisation and JAAS
            Paul Drummond Newbie

            Thank you very much for replying - I was beginning to loose hope. I will look into what you suggest - thanks again!