dev@glassfish-samples.java.net

Re: Samples for JACC and JASPI with glassfish

From: Sreenivas Munnangi <Sreenivas.Munnangi_at_Sun.COM>
Date: Mon, 09 Jul 2007 15:49:47 -0700

Here is Ron's response.

<response>
I think he is trying to use a SAM at to protect a conventional web
application. within validateRequest, when his module has determined that
the message is sufficinetly authenticated, the module should add a
principal to the clientSubject, and it must use the callbackhandler
(passed to it by the container) to handle a CallerPrincipalCallback.

The CallerPrincipalCallback can be constructed with a name or with a
cuustom principal.

If a principal-to-role mapping is defined for the app (alternatively a
default p2r mapping can be enabled) then the mapping must map at least
one of the principals added to the subject to a role that is granted
permissision to access the web resource.

If only custom principals are added to the clientSubject, then the
security-role-mapping defined by the app for a granted role, must
include both the principal class-name and the principal-name of the
principal resulting from the authentication by the SAM.

If Rejeev can send us his generated policy files, his web.xml, and the
sun-specific-dtd file in which he has defined his p2r mapping (e.g.
sun-web.xml), along with a representation of the class name and name
values of the principals that his authentication module has added to the
clientSubject, then I think we should be able to explain the failed
authorization check, and instruct him on how to define an appropriate
security-role-mapping (or to employ the default mapping).
</response>

thanks
sreeni

Rejeev Divakaran wrote:
> Hi,
> I have developed a sample JMAC provider and configured a small web
> application with it. Authentication works fine however authorization
> fails. I have turned log level for security to finest got the below
> mentioned log entries. It looks like '
> com.sun.web.security.WebSecurityManager.checkPermission' fails.
> I am using a custom Implementation of java.security.Principal
> interface. Isn't it OK?
> I am I supposed to use GSS-API for creating Principal?
>
> Any other clue what could be wrong?
>
> Regards,
> Rejeev.
>
> Log entries:
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=setPolicyContext;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Policy Context ID was: hello1/hello1|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Generating a protection domain for Permission check.|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Checking with Principal : admin|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Codesource with Web URL: file:/hello1/hello1|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Checking Web Permission with Principals : admin|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> Web Permission = ( javax.security.jacc.WebResourcePermission
> /index.jsp GET)|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINEST|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.enterprise.security.provider.PolicyWrapper;MethodName=doImplies;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|JACC
> Policy Provider: PolicyWrapper.implies, context (hello1/hello1)-
> result was(false) permission
> ((javax.security.jacc.WebResourcePermission /index.jsp GET))|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> hasResource isGranted: false|#]
>
> [#|2007-07-02T09:31:47.926+0530|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=hasResourcePermission;_RequestID=588c4baf-142a-42ff-875b-c4aaea8d05a5;|[Web-Security]
> hasResource perm: ( javax.security.jacc.WebResourcePermission
> /index.jsp GET)|#]
>
> On 6/23/07, *Rejeev Divakaran* <rejeev_at_gmail.com
> <mailto:rejeev_at_gmail.com>> wrote:
>
> Hi Ron,
> Thanks for the detailed mail!
> I have come across your articles while browsing (especially the
> JavaOne BOF presentation on the same topic) and wanted to contact
> you. I have gone through
> http://spnego.ocean.net.au/documentation/configuring_spnego_in_glassfish.html
> <http://spnego.ocean.net.au/documentation/configuring_spnego_in_glassfish.html>
> also previously. Thanks Sreenivas for getting in touch with Ron.
> I agree with Ron's suggested phases (my choice of EJB was rather
> arbitrary (may be just to demonstrate the usage of client side
> APIs)).
> pahse 3 will be very good usecase. We can use JACC api for
> providing a centrally administered policy server (Some of the
> leading security products provide such functionalities).
>
> I will follow as below.
> phase 1: Web application with local SAM
> phase 2: SSO for web application with shared network
> authentication service
> phase 3: usage of central policy server with JACC api
> I will keep you updated as I progress.
>
> Regards,
> Rejeev.
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.