WSRP Identity Propagation users WSRP user context and should use WS-Security ---------------------------------------------------------------------------- Key: JBPORTAL-2468 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2468 Project: JBoss Portal Issue Type: Bug Security Level: Public (Everyone can see) Components: Portal WSRP Environment: EPP 4.3 CP03 Reporter: Aaron Pestel Assignee: Chris Laprun The current WSRP implementation passes the username via the WSRP user context, which according to the spec is not the purpose of the user context. I have created a wiki that offers a potential solution. It involves two jax-rpc handers (one to generate the ws-security header on the consumer and one to parse and authenticate the ws-security header on the producer). In addition, org/jboss/portal/wsrp/producer/RequestProcessor.java needs to be changed to use the authenticated user's context rather than the information passed in the wsrp user context. Source code for these pieces is in the JARs at this wiki: http://community.jboss.org/wiki/JBossEPP43-WSRPwithWS-SecurityandSSL Here is the current implementation of RequestProcessor that pulls security information from the WSRP user context, followed by my proposed implementation: ------------------------------------------------------------------------------------------- // fix-me: check that the correct semantics is used. private SecurityContext createSecurityContext(final MarkupParams params, final RuntimeContext runtimeContext, final org.jboss.portal.wsrp.core.UserContext wsrpUserContext) { return new SecurityContext() { public boolean isSecure() { return params.isSecureClientCommunication(); } public String getAuthType() { return runtimeContext.getUserAuthentication(); } public String getRemoteUser() { if (wsrpUserContext != null) { return wsrpUserContext.getUserContextKey(); } return null; } public Principal getUserPrincipal() { return null; } public boolean isUserInRole(String roleName) { return wsrpUserContext != null && Tools.isContainedIn(roleName, wsrpUserContext.getUserCategories()); } public boolean isAuthenticated() { return wsrpUserContext != null; } }; } ------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------- // fix-me: check that the correct semantics is used. private SecurityContext createSecurityContext(final MarkupParams params, final RuntimeContext runtimeContext, final org.jboss.portal.wsrp.core.UserContext wsrpUserContext) { final Request r = ((org.apache.catalina.connector.Request)(SecurityAssociationValve.activeRequest.get())); return new SecurityContext() { public boolean isSecure() { return r.isSecure(); } public String getAuthType() { return r.getAuthType(); } public String getRemoteUser() { return r.getRemoteUser(); } public Principal getUserPrincipal() { return r.getUserPrincipal(); } public boolean isUserInRole(String roleName) { return r.isUserInRole(roleName); } public boolean isAuthenticated() { return r.getUserPrincipal() != null; } }; } ------------------------------------------------------------------------------------------- -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira