On Sep 19, 2012, at 4:16 PM, Derek Knapp wrote:
> Weird, the bottom 1/2 of my message got cut off
>
> I **thing** that the SAM is passing in the clientSubject in to LoginModule, which is directly setting the Principal (using clientSubject.getPrincipals().add(userPrincipal);)
>
> then in Glassfish, when I call request.getUserPrincipal(), that Principal is returned..
>
> but if I add 2 principals to the clientSubject, I was wondering how Glassfish would determine which one to return.
>
>
If one of them was added directly and the other via a CallerPrincipalCallback then GF will return the one added via CPC.
There is a thing called DistinguishedPrincipalCredential that is set a public credential referencing the principal that needs to be returned from the current SecurityContext. The SecurityContext holds the subject which potentially has multiple user and group principals.
Since its all open source you can look in the code.
> Derek
>
>
> On Sep 19, 2012, at 3:34 AM, Derek Knapp <derek.knapp_at_me.com> wrote:
>
>> Right now in my SAM's validateRequest method, I have this code (from http://epicjava.blogspot.com/2012/03/using-jaasjacc-on-glassfish-312-for_07.html)
>>
>> LoginContext context = new LoginContext("yourRealmname", clientSubject, new CallbackHandler() {
>>
>> @Override
>> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
>> for (Callback c : callbacks) {
>> if (c instanceof PasswordCallback) {
>> PasswordCallback pc = (PasswordCallback) c;
>> pc.setPassword(password.toCharArray());
>> } else if (c instanceof NameCallback) {
>> NameCallback pc = (NameCallback) c;
>> pc.setName(username);
>> } else {
>> throw new UnsupportedCallbackException(c);
>> }
>> }
>> }
>> });
>> context.login();
>>
>>
>> Then in the LoginModule is simply the SampleLoginModule from oracle, http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/SampleLoginModule.java
>>
>>
>>
>> Derek
>>
>>
>> On Sep 19, 2012, at 3:15 AM, KumarJayanti <v.b.kumar.jayanti_at_oracle.com> wrote:
>>
>>>
>>> On Sep 19, 2012, at 3:34 PM, Derek Knapp wrote:
>>>
>>>> Thanks for the reply! It's good to know I'm on the right path :)
>>>>
>>>> I am a curious about how / why Glassfish automatically determines the Principal (the one in request.getUserPrincipal()).
>>>>
>>>> Since a subject is capable of having multiple principals, how does Glassfish determine which one to return?
>>>>
>>>> It seems strange to me that the Principal is automatically set, but the groups are not.. I assume this is more of JSR 196 question than Glassgish specific?
>>>
>>> Glassfish does not set the principal, you need to use the CallerPrincipalCallback to set it. Can you explain what you are observing.
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Derek
>>>>
>>>>
>>>> On Sep 19, 2012, at 2:59 AM, KumarJayanti <v.b.kumar.jayanti_at_oracle.com> wrote:
>>>>
>>>>>
>>>>> On Sep 19, 2012, at 3:19 PM, Derek Knapp wrote:
>>>>>
>>>>>> I am having a hard time understanding how Groups are set in the LoginModule.
>>>>>>
>>>>>> I have a class that implements the java.security.acl.Group, and I add it to the subject in my LoginModule.. but that doesn't seem to do anything.
>>>>>>
>>>>>> Do I need to do something in my SAM to handle the Group myself? I know if I add the following code to my validateRequest method in my SAM, it works as expected...
>>>>>>
>>>>>>
>>>>>> String[] group = {"users"};
>>>>>> handler.handle(new Callback[] { new GroupPrincipalCallback(clientSubject, group) });
>>>>>>
>>>>>>
>>>>>> So I am starting to think that I need to call the subject.getPrincipals(Group.class) and return a list of the groups in the GroupPrincipalCallback myself.. but I am not sure this is the "right" way to do this...
>>>>>
>>>>> Yes that is the right way. The SAM is responsible for setting the groups into the subject via the GroupPrincipalCallback.
>>>>>
>>>>
>>>
>>
>