users@glassfish.java.net

Re: JSR196 ClientAuthModule Problems

From: <glassfish_at_javadesktop.org>
Date: Mon, 11 Feb 2008 10:48:26 PST

Documenting my information here mainly for my own sanity.

I've grabbed the source code for Glassfish v2 and started digging. What I've found is that the ClientSubject is the correct subject to manipulate. I send this subject through the two callbacks that are appropriate.

CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, userName);

                        GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, groupArray);

                        try {
                                handler.handle(new Callback[] { callerPrincipalCallback, groupPrincipalCallback });
                        }

The PrincipalCallback creates a DistinguishedPrincipalCredential from the Principal that is created via the userName sent in. Then it is added to the subject as a PublicCredential. So far so good.

So in the com.sun.web.security.RealmAdapter the ServerAuthModule is called. The subject is now sent on to create a new com.sun.enterprise.security.SecurityContext. The SecurityContext yanks out that DistinguishedPrincipal and sets it to the "initiator" principal. It then sets the subject reference internally. We are still good at this point.

Now the org.apache.catalina.authenticator.AuthenticatorBase gets invoked. It calls the RealmAdapter which in turn calls the com.sun.web.security.WebSecurityManager.checkPermission(). I have turned the logger to the finest setting and I am seeing that my Principals are indeed being checked.
"testUser" is the userName and "DefaultRole" is the group he belongs to. Thus we are still good as far as I can tell.

"[#|2008-02-11T23:59:29.417-0600|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|[Web-Security] Checking with Principal : testUser|#]

[#|2008-02-11T23:59:29.418-0600|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|[Web-Security] Checking with Principal : DefaultRole|#]"

Below is some of the misc information:
[#|2008-02-11T23:59:29.418-0600|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|[Web-Security] Codesource with Web URL: file:/securityTest/securityTest|#]

[#|2008-02-11T23:59:29.418-0600|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|[Web-Security] Checking Web Permission with Principals : testUser, DefaultRole|#]

[#|2008-02-11T23:59:29.418-0600|FINE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.web.security.WebSecurityManager;MethodName=checkPermissionWithoutCache;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|[Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /secure/info.html GET)|#]

The Codesource seems funny....the contextRoot for this application is just securityTest, I don't know why the Codesource is /securityTest/securityTest???????

And then the BasePolicyWrapper is asked to make sure that the user has permission to access the resource. This is what fails. And this is the log message.

[#|2008-02-11T23:59:29.420-0600|FINEST|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=28;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper;MethodName=doImplies;_RequestID=c3d96eab-3008-4720-9842-6f4d0a4b7576;|JACC Policy Provider: PolicyWrapper.implies, context (acegiTest/acegiTest)- result was(false) permission ((javax.security.jacc.WebResourcePermission /secure/info.html GET))|#]


So last but not least, here is the web.xml and the sun-web.xml

web.xml:
    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Test Security</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>DefaultRole</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
  <role-name>DefaultRole</role-name>
</security-role>

And the sun-web.xml
<sun-web-app error-url="" httpservlet-security-provider="webseal">
  <security-role-mapping>
    <role-name>DefaultRole</role-name>
    <principal-name>DefaultRole</principal-name>
  </security-role-mapping>
</sun-web-app>
[Message sent by forum member 'athrawn17' (athrawn17)]

http://forums.java.net/jive/thread.jspa?messageID=258381
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.