users@glassfish.java.net

Re: JAAS, LoginContext and Glassfish

From: <glassfish_at_javadesktop.org>
Date: Fri, 15 Aug 2008 06:54:13 PDT

> I have the authentication in place using the Servlet
> configuration and j_security_check to deny access to
> protected resources. After this I do have a Principal
> available, which I thought was related to JAAS?

Yes; so far so good.

> The idea is for the user to authenticate and then
> select which client he is currently doing work for.

Aha. Right; usually role assignment is a one-time thing, so I see what you're getting at here.

Is it possible you could defer authentication via j_security_check until the user has picked a client? Granted, you might still have to do some LoginModule work to ensure that the user is given the proper permissions (clientAPermissions instead of clientBPermissions), but this would be decidedly simpler than trying to grant and revoke permissions dynamically as you go.

> Initially I was hoping to create the principles for
> the permissions. Theses principles would contain the
> permission and the client. I intended to
> remove/deactive all principles not relating to the
> client he selects when he selects the client. In this
> scenario I would not need to mess with JACC.
> Unfortunately it seems almost impossible to do this.

Well, it might be possible to do it. Most application servers let you build the Principal class that you return as a result of authentication, whether in the LoginModule or via some other mechanism. It's conceivable that an EJB could do some surgery on the J2EE Principal and stuff some permission information inside it in such a way that it (and the servlets in question) could open it up and investigate the permissions inside it. Mind you, this has very little to do with JAAS--you'd be in charge of their format, representation, construction, etc. but it might get you where you need to go.

Good luck. Also, if it matters, LoginModules tend to be application server specific since lots of times they're touching appserver-specific APIs in the group-to-role management arena. So it is not uncommon to ship a product with two or three kinds of LoginModules and install obviously only the one you need. (For the record, I agree with you that it is annoying and cheap that one has to extend a Glassfish-specific class to make an otherwise valid LoginModule valid-for-Glassfish.)

Best,
Laird
[Message sent by forum member 'ljnelson' (ljnelson)]

http://forums.java.net/jive/thread.jspa?messageID=293562
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.