1) Yes I am using a SAM to protect conventional Web app.
2) within validateRequest, it is determined that the message is
sufficiently authenticated, and a principal is created and the
principal is pushed into the subject passed (see the attached
ServerAuthModuleImpl.java in the attached zip file)
3) I am not using CallbackHandlers. I am not using any JAAS API for
authentication.
4) Principal to role mapping is done (see the attached sun-web.xml)
5) I will try specifying principal class name in security role mapping
6) Meanwhile I am attaching the relevant files.
Thanks in advance.
Regards,
Rejeev.
> <response>
> I think he is trying to use a SAM at to protect a conventional web
> application. within validateRequest, when his module has determined that
> the message is sufficinetly authenticated, the module should add a
> principal to the clientSubject, and it must use the callbackhandler
> (passed to it by the container) to handle a CallerPrincipalCallback.
>
> The CallerPrincipalCallback can be constructed with a name or with a
> cuustom principal.
>
> If a principal-to-role mapping is defined for the app (alternatively a
> default p2r mapping can be enabled) then the mapping must map at least
> one of the principals added to the subject to a role that is granted
> permissision to access the web resource.
>
> If only custom principals are added to the clientSubject, then the
> security-role-mapping defined by the app for a granted role, must
> include both the principal class-name and the principal-name of the
> principal resulting from the authentication by the SAM.
>
> If Rejeev can send us his generated policy files, his web.xml, and the
> sun-specific-dtd file in which he has defined his p2r mapping (e.g.
> sun-web.xml), along with a representation of the class name and name
> values of the principals that his authentication module has added to the
> clientSubject, then I think we should be able to explain the failed
> authorization check, and instruct him on how to define an appropriate
> security-role-mapping (or to employ the default mapping).
> </response>
>
> thanks
> sreeni
>