Hi,<div><br></div><div>Although it's not directly what you asked, one thing which you may want to take into account is that in the web layer (via HttpServletRequest) the user/caller principal corresponding to the unauthenticated identity is always null. When using the EJBContext that same user/caller principal is something container specific (although contrary to the web layer never null).</div>
<div><br></div>EJB is underspecified here (just as the run-as principal). Likewise, the way in which a security context established in the web layer propagates to EJB is not clear either. There's a vague paragraph about a security domain that should be consulted, which JBoss takes very literally (for secured beans it attempts to re-authenticate instead of propagating the established context), for non-secured beans it doesn't do this.<div>
<br></div><div>Finally there are a couple of implementation differences between JBoss' native login modules and the Java EE standard JASPIC ones. For JASPIC you would call HttpServletRequest.authenticate() and the "login module" (SAM) would pass a null to the CallerPrincipalCallback in order to establish the unauthenticated identity.</div>
<div><br></div><div>Hope this somehow helps.<br><div><br>On Friday, August 8, 2014, Wolfgang Knauf <<a href="mailto:wolfgang.knauf@gmx.de">wolfgang.knauf@gmx.de</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi guys,<br>
<br>
I try to sort out the "unauthenticatedIdentity" feature for JAS login<br>
modules in WildFly 8.<br>
To my understanding, when logging in without username/password, the<br>
login module should fallback to this "unauthenticatedIndentity", which<br>
can only access public content (e.g. unsecured or @PermitAll ejb methods).<br>
<br>
But without a login, my public ejb method shows that<br>
"this.sessionContext.getCallerPrincipal().getName()" returns<br>
"anonymous", which is NOT the "unauthenticatedIdentity" value.<br>
And "httpRequest.login(null, null)" will fail because of the Undertow<br>
implementation.<br>
<br>
How can a switch to the user name declared in the "unauthenticatedIdentity"?<br>
<br>
Same question e.g. here: <a href="https://community.jboss.org/thread/237899" target="_blank">https://community.jboss.org/thread/237899</a><br>
<br>
Seems I have a basic misunderstanding about this ;-), but I don't find a<br>
clear explanation in the web...<br>
<br>
Best regards<br>
<br>
Wolfgang Knauf<br>
_______________________________________________<br>
undertow-dev mailing list<br>
<a href="javascript:;" onclick="_e(event, 'cvml', 'undertow-dev@lists.jboss.org')">undertow-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
</blockquote></div></div>