Weird, the bottom 1/2 of my message got cut off
I **thing** that the SAM is passing in the clientSubject in to LoginModule, which is directly setting the Principal (using clientSubject.getPrincipals().add(userPrincipal);)
then in Glassfish, when I call request.getUserPrincipal(), that Principal is returned..
but if I add 2 principals to the clientSubject, I was wondering how Glassfish would determine which one to return.
Derek
On Sep 19, 2012, at 3:34 AM, Derek Knapp <derek.knapp_at_me.com> wrote:
> Right now in my SAM's validateRequest method, I have this code (from http://epicjava.blogspot.com/2012/03/using-jaasjacc-on-glassfish-312-for_07.html)
>
> LoginContext context = new LoginContext("yourRealmname", clientSubject, new CallbackHandler() {
>
> @Override
> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
> for (Callback c : callbacks) {
> if (c instanceof PasswordCallback) {
> PasswordCallback pc = (PasswordCallback) c;
> pc.setPassword(password.toCharArray());
> } else if (c instanceof NameCallback) {
> NameCallback pc = (NameCallback) c;
> pc.setName(username);
> } else {
> throw new UnsupportedCallbackException(c);
> }
> }
> }
> });
> context.login();
>
>
> Then in the LoginModule is simply the SampleLoginModule from oracle, http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/SampleLoginModule.java
>
>
>
> Derek
>
>
> On Sep 19, 2012, at 3:15 AM, KumarJayanti <v.b.kumar.jayanti_at_oracle.com> wrote:
>
>>
>> On Sep 19, 2012, at 3:34 PM, Derek Knapp wrote:
>>
>>> Thanks for the reply! It's good to know I'm on the right path :)
>>>
>>> I am a curious about how / why Glassfish automatically determines the Principal (the one in request.getUserPrincipal()).
>>>
>>> Since a subject is capable of having multiple principals, how does Glassfish determine which one to return?
>>>
>>> It seems strange to me that the Principal is automatically set, but the groups are not.. I assume this is more of JSR 196 question than Glassgish specific?
>>
>> Glassfish does not set the principal, you need to use the CallerPrincipalCallback to set it. Can you explain what you are observing.
>>
>>
>>
>>
>>>
>>>
>>> Thanks,
>>>
>>> Derek
>>>
>>>
>>> On Sep 19, 2012, at 2:59 AM, KumarJayanti <v.b.kumar.jayanti_at_oracle.com> wrote:
>>>
>>>>
>>>> On Sep 19, 2012, at 3:19 PM, Derek Knapp wrote:
>>>>
>>>>> I am having a hard time understanding how Groups are set in the LoginModule.
>>>>>
>>>>> I have a class that implements the java.security.acl.Group, and I add it to the subject in my LoginModule.. but that doesn't seem to do anything.
>>>>>
>>>>> Do I need to do something in my SAM to handle the Group myself? I know if I add the following code to my validateRequest method in my SAM, it works as expected...
>>>>>
>>>>>
>>>>> String[] group = {"users"};
>>>>> handler.handle(new Callback[] { new GroupPrincipalCallback(clientSubject, group) });
>>>>>
>>>>>
>>>>> So I am starting to think that I need to call the subject.getPrincipals(Group.class) and return a list of the groups in the GroupPrincipalCallback myself.. but I am not sure this is the "right" way to do this...
>>>>
>>>> Yes that is the right way. The SAM is responsible for setting the groups into the subject via the GroupPrincipalCallback.
>>>>
>>>
>>
>