How to use JACC with JAAS in Geronimo

[rbaumhof <ra...@web.de>]

Hello,

i have problems to notify the ejb container about my authentication. Beacuse
of some special application requirements i can not use the standard servlet
authentication with j_security_check. Therfore i perform login by myself
using jaas with a geronimo sql security realm. This works fine. However
after the login SessionContext.getCallerPrincipal().getName() returns
"Unauthenticated". The try to use
org.apache.geronimo.security.ContextManager.getCurrentCaller() (hint of
David Jencks, see
http://www.nabble.com/How-to-get-the-active-Subject--td11982332s134.html#a11982332)
returns null. Because i use my own filter servlet to watch the web sites, i
don't use any declarative role mapping in web.xml. I had to remove this
because tomcat was not notified about the login. 

My question is "what do i have to do to make
SessionContext.getCallerPrincipal().getName() work. It should not return
"Unauthenticated".

much thanks in advance
-- 
View this message in context: http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18336889.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.

Re: How to use JACC with JAAS in Geronimo

[rbaumhof <ra...@web.de>]

according to your hint i found out the following:

In my ejb i now use the statement:
javax.security.auth.Subject subj =
org.apache.geronimo.security.ContextManager.getCurrentCaller() ;

This returns the subject as i have set in my JAAS login. I have manipulated
the subject during login - i added an additional principal - and i can see
this principal. This works fine but i did not have to do anything within my
servlet. In particular the statement
ContextManager.setCurrentCallers(subject,subject); was not necessary.

If i use in my ejb the statements:
	@Resource
	SessionContext ctx;
	Principal caller = ctx.getCallerPrincipal();
        if (caller.getName().equals("Unauthenticated"))
           sysout("unauthenticated...");

a principal is returned whose name is "Unauthenticated".  The reason may be
that my subject has got 3 pricipals, a geronimo user principal, a geronimo
group principal and an additional principal i added during login. So it may
be difficult to dicide which principal should be taken. 

so, this workaround is sufficient for me. It's even much more powerful then
only getting a principals name.

thanks for your help.



djencks wrote:
> 
> 
> On Jul 8, 2008, at 4:20 AM, rbaumhof wrote:
> 
>>
>> Hello,
>>
>> i have problems to notify the ejb container about my authentication.  
>> Beacuse
>> of some special application requirements i can not use the standard  
>> servlet
>> authentication with j_security_check.
> 
> It's not really relevant, but I'd like to know why you can't use  
> normal form authentication.
> 
>> Therfore i perform login by myself
>> using jaas with a geronimo sql security realm. This works fine.  
>> However
>> after the login SessionContext.getCallerPrincipal().getName() returns
>> "Unauthenticated".
> 
> If your app does the authentication rather than relying on a built-in  
> authentication method you will need to hook into the geronimo security  
> mechanism the same way the built-in authentication methods do.  The  
> best way to do this would be by writing your own jaspi  
> ServerAuthModule, but jaspi support is not implemented yet (I'm  
> working on it in trunk).
> 
> Assuming that your authentication system will be storing the Subject  
> from the security realm login in the http session, you need a filter  
> that does something like this:
> 
> Subject subject = getSubjectFromSession(request);
> ContextManager.setCurrentCallers(subject,subject);
> 
> This will not enable any container managed web security since by the  
> time you get to a filter the security checks will already have been  
> performed, but you should be able to use this with container managed  
> ejb security. Note also that run-as roles in servlets won't work in  
> any servlet that this filter applies to.
> 
> Assuming this works (I've never tried it) we should consider supplying  
> this filter with geronimo, perhaps as a plugin.
> 
>> The try to use
>> org.apache.geronimo.security.ContextManager.getCurrentCaller() (hint  
>> of
>> David Jencks, see
>> http://www.nabble.com/How-to-get-the-active-Subject--td11982332s134.html#a11982332)
>> returns null. Because i use my own filter servlet to watch the web  
>> sites, i
>> don't use any declarative role mapping in web.xml. I had to remove  
>> this
>> because tomcat was not notified about the login.
>>
>> My question is "what do i have to do to make
>> SessionContext.getCallerPrincipal().getName() work. It should not  
>> return
>> "Unauthenticated".
> 
> Unless you use container managed authentication, it actually should  
> return "unauthenticated".  However by hooking into the container  
> managed security system as suggested above you may be able to do what  
> you want.
> 
> Please let us know if this works.
> 
> thanks
> david jencks
> 
>>
>>
>> much thanks in advance
>> -- 
>> View this message in context:
>> http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18336889.html
>> Sent from the Apache Geronimo - Users mailing list archive at  
>> Nabble.com.
>>
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18567104.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.

Re: How to use JACC with JAAS in Geronimo

[David Jencks <da...@yahoo.com>]

On Jul 8, 2008, at 4:20 AM, rbaumhof wrote:

>
> Hello,
>
> i have problems to notify the ejb container about my authentication.  
> Beacuse
> of some special application requirements i can not use the standard  
> servlet
> authentication with j_security_check.

It's not really relevant, but I'd like to know why you can't use  
normal form authentication.

> Therfore i perform login by myself
> using jaas with a geronimo sql security realm. This works fine.  
> However
> after the login SessionContext.getCallerPrincipal().getName() returns
> "Unauthenticated".

If your app does the authentication rather than relying on a built-in  
authentication method you will need to hook into the geronimo security  
mechanism the same way the built-in authentication methods do.  The  
best way to do this would be by writing your own jaspi  
ServerAuthModule, but jaspi support is not implemented yet (I'm  
working on it in trunk).

Assuming that your authentication system will be storing the Subject  
from the security realm login in the http session, you need a filter  
that does something like this:

Subject subject = getSubjectFromSession(request);
ContextManager.setCurrentCallers(subject,subject);

This will not enable any container managed web security since by the  
time you get to a filter the security checks will already have been  
performed, but you should be able to use this with container managed  
ejb security. Note also that run-as roles in servlets won't work in  
any servlet that this filter applies to.

Assuming this works (I've never tried it) we should consider supplying  
this filter with geronimo, perhaps as a plugin.

> The try to use
> org.apache.geronimo.security.ContextManager.getCurrentCaller() (hint  
> of
> David Jencks, see
> http://www.nabble.com/How-to-get-the-active-Subject--td11982332s134.html#a11982332)
> returns null. Because i use my own filter servlet to watch the web  
> sites, i
> don't use any declarative role mapping in web.xml. I had to remove  
> this
> because tomcat was not notified about the login.
>
> My question is "what do i have to do to make
> SessionContext.getCallerPrincipal().getName() work. It should not  
> return
> "Unauthenticated".

Unless you use container managed authentication, it actually should  
return "unauthenticated".  However by hooking into the container  
managed security system as suggested above you may be able to do what  
you want.

Please let us know if this works.

thanks
david jencks

>
>
> much thanks in advance
> -- 
> View this message in context: http://www.nabble.com/How-to-use-JACC-with-JAAS-in-Geronimo-tp18336889s134p18336889.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>