users@glassfish.java.net

Identity assertion and principal propagation

From: <glassfish_at_javadesktop.org>
Date: Tue, 28 Aug 2007 02:07:40 PDT

Hi all

The messages in my JMS queue contain a user name, action name and data. My MDBean is supposed to invoke the named action (via a SessionBean) with the given data using the specified user credentials. The enqueue side is secured using JAAS and the enqueuer is authenticated, so we trust the messages in the queue.

My problem is that the MDBean is running as system and when I invoke the SessionBean I can't propagate the real user credentials. I reason that I need something like the "su" command for me to change the running user but I don't know how. I tried writing my LoginModule that creates a Principal of the given name and adds it to the Subject. My SessionBean continues to see system. I then tried invoking the SessionBean inside a PrivilegedAction called from Subject.doAs, using the authenticated Subject from LoginContext but it still wouldn't work.

Could someone please show me how to assert identity in an MDBean that can be propagated to a SessionBean? I read various specs but they all assume either the identity is set by the web container or the EJB is using runAs.

Thanks very much.

Kevin
[Message sent by forum member 'kevinyeung' (kevinyeung)]

http://forums.java.net/jive/thread.jspa?messageID=232863