[undertow-dev] "unauthenticatedIndentity" in Undertow
arjan tijms
arjan.tijms at gmail.com
Sat Aug 9 08:33:35 EDT 2014
Hi,
Although it's not directly what you asked, one thing which you may want to
take into account is that in the web layer (via HttpServletRequest) the
user/caller principal corresponding to the unauthenticated identity is
always null. When using the EJBContext that same user/caller principal is
something container specific (although contrary to the web layer never
null).
EJB is underspecified here (just as the run-as principal). Likewise, the
way in which a security context established in the web layer propagates to
EJB is not clear either. There's a vague paragraph about a security domain
that should be consulted, which JBoss takes very literally (for secured
beans it attempts to re-authenticate instead of propagating the established
context), for non-secured beans it doesn't do this.
Finally there are a couple of implementation differences between JBoss'
native login modules and the Java EE standard JASPIC ones. For JASPIC you
would call HttpServletRequest.authenticate() and the "login module" (SAM)
would pass a null to the CallerPrincipalCallback in order to establish the
unauthenticated identity.
Hope this somehow helps.
On Friday, August 8, 2014, Wolfgang Knauf <wolfgang.knauf at gmx.de> wrote:
> Hi guys,
>
> I try to sort out the "unauthenticatedIdentity" feature for JAS login
> modules in WildFly 8.
> To my understanding, when logging in without username/password, the
> login module should fallback to this "unauthenticatedIndentity", which
> can only access public content (e.g. unsecured or @PermitAll ejb methods).
>
> But without a login, my public ejb method shows that
> "this.sessionContext.getCallerPrincipal().getName()" returns
> "anonymous", which is NOT the "unauthenticatedIdentity" value.
> And "httpRequest.login(null, null)" will fail because of the Undertow
> implementation.
>
> How can a switch to the user name declared in the
> "unauthenticatedIdentity"?
>
> Same question e.g. here: https://community.jboss.org/thread/237899
>
> Seems I have a basic misunderstanding about this ;-), but I don't find a
> clear explanation in the web...
>
> Best regards
>
> Wolfgang Knauf
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org <javascript:;>
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20140809/32f207fd/attachment-0001.html
More information about the undertow-dev
mailing list