On Sunday, August 10, 2014, Wolfgang Knauf wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I think my<br>
basic question should be "what is the unauthenticatedIdentity used<br>
for?"</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote><div><br></div><div>Afaik the unauthenticated identity that's exposed to user code is a very unfortunate result of the fact that whoever wrote the first EJB spec thought it was a good idea to add the requirement "never null" to the return value of EJBContext#getCallerPrincipal.</div>
<div><br></div><div>I'm sure it was done with the best intentions, but without also defining a constant that we can use to compare to (ie via a reference) OR an explicit "isCallerAuthenticated" method, this has been nothing but a world of hurt.</div>
<div><br></div><div>The problem is that now there's no real good way to check if a user is authenticated in EJB. A null return would be a good method, but since that value is mysteriously not allowed the container has to use a regular principal. You should then compare the name of this principal to whatever the container has decided to use to determine if the user is authenticated or not.</div>
<div><br></div><div>This is a recipe for disaster, since without reserving a name, any name the container chooses could be a valid name in the application domain. It just can't work this way.</div><div><br></div><div>
As a workaround some containers like JBoss offer the option to remap the name to something, should it clash.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
. If this question is answered, the next question could be "how<br>
could one use it in a web app or application client?"</blockquote><div><br></div><div>See above, to test if the user is authenticated or not.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I tried to call HttpServletRequest.authenticate() in an unsecured JSP<br>
page, and this redirected me to my login form - so no help ;-).</blockquote><div><br></div><div>This is because the SAM or login module that you configured wasn't instructed to "do nothing" ;) </div><div><br>
</div><div>But my mentioning of request#authenticate was just an explanation of how a SAM could "do nothing" even after an explicit request for authentication. A SAM is a special case here since it's always called for every request (just like a Servlet Filter). If I'm not mistaken, JBoss' proprietary login modules are only called when authentication is explicitly required.</div>
<div><br></div><div>Kind regards,</div><div>Arjan</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Best regards<br>
<br>
Wolfgang<br>
<br>
-------- Original-Nachricht --------<br>
Betreff: Re: [undertow-dev] "unauthenticatedIndentity" in Undertow<br>
Von: arjan tijms <<a href="javascript:;" onclick="_e(event, 'cvml', 'arjan.tijms@gmail.com')">arjan.tijms@gmail.com</a>><br>
An: Wolfgang Knauf <<a href="javascript:;" onclick="_e(event, 'cvml', 'wolfgang.knauf@gmx.de')">wolfgang.knauf@gmx.de</a>><br>
Kopie (CC): "<a href="javascript:;" onclick="_e(event, 'cvml', 'undertow-dev@lists.jboss.org')">undertow-dev@lists.jboss.org</a>" <<a href="javascript:;" onclick="_e(event, 'cvml', 'undertow-dev@lists.jboss.org')">undertow-dev@lists.jboss.org</a>><br>
Datum: 09.08.2014 14:33<br>
<br>
> Hi,<br>
><br>
> Although it's not directly what you asked, one thing which you may want<br>
> to take into account is that in the web layer (via HttpServletRequest)<br>
> the user/caller principal corresponding to the unauthenticated identity<br>
> is always null. When using the EJBContext that same user/caller<br>
> principal is something container specific (although contrary to the web<br>
> layer never null).<br>
><br>
> EJB is underspecified here (just as the run-as principal). Likewise, the<br>
> way in which a security context established in the web layer propagates<br>
> to EJB is not clear either. There's a vague paragraph about a security<br>
> domain that should be consulted, which JBoss takes very literally (for<br>
> secured beans it attempts to re-authenticate instead of propagating the<br>
> established context), for non-secured beans it doesn't do this.<br>
><br>
> Finally there are a couple of implementation differences between JBoss'<br>
> native login modules and the Java EE standard JASPIC ones. For JASPIC<br>
> you would call HttpServletRequest.authenticate() and the "login module"<br>
> (SAM) would pass a null to the CallerPrincipalCallback in order to<br>
> establish the unauthenticated identity.<br>
><br>
> Hope this somehow helps.<br>
><br>
> On Friday, August 8, 2014, Wolfgang Knauf <<a href="javascript:;" onclick="_e(event, 'cvml', 'wolfgang.knauf@gmx.de')">wolfgang.knauf@gmx.de</a><br>
> <mailto:<a href="javascript:;" onclick="_e(event, 'cvml', 'wolfgang.knauf@gmx.de')">wolfgang.knauf@gmx.de</a>>> wrote:<br>
><br>
> Hi guys,<br>
><br>
> I try to sort out the "unauthenticatedIdentity" feature for JAS login<br>
> modules in WildFly 8.<br>
> To my understanding, when logging in without username/password, the<br>
> login module should fallback to this "unauthenticatedIndentity", which<br>
> can only access public content (e.g. unsecured or @PermitAll ejb<br>
> methods).<br>
><br>
> But without a login, my public ejb method shows that<br>
> "this.sessionContext.getCallerPrincipal().getName()" returns<br>
> "anonymous", which is NOT the "unauthenticatedIdentity" value.<br>
> And "httpRequest.login(null, null)" will fail because of the Undertow<br>
> implementation.<br>
><br>
> How can a switch to the user name declared in the<br>
> "unauthenticatedIdentity"?<br>
><br>
> Same question e.g. here: <a href="https://community.jboss.org/thread/237899" target="_blank">https://community.jboss.org/thread/237899</a><br>
><br>
> Seems I have a basic misunderstanding about this ;-), but I don't find a<br>
> clear explanation in the web...<br>
><br>
> Best regards<br>
><br>
> Wolfgang Knauf<br>
> _______________________________________________<br>
> undertow-dev mailing list<br>
> <a href="javascript:;" onclick="_e(event, 'cvml', 'undertow-dev@lists.jboss.org')">undertow-dev@lists.jboss.org</a> <javascript:;><br>
> <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
><br>
_______________________________________________<br>
undertow-dev mailing list<br>
<a href="javascript:;" onclick="_e(event, 'cvml', 'undertow-dev@lists.jboss.org')">undertow-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
</blockquote>