Hi Arjan,
thanks for your reply, but I fear it does not help much. I think my
basic question should be "what is the unauthenticatedIdentity used
for?". If this question is answered, the next question could be "how
could one use it in a web app or application client?"
I tried to call HttpServletRequest.authenticate() in an unsecured JSP
page, and this redirected me to my login form - so no help ;-).
Best regards
Wolfgang
-------- Original-Nachricht --------
Betreff: Re: [undertow-dev] "unauthenticatedIndentity" in Undertow
Von: arjan tijms <arjan.tijms(a)gmail.com>
An: Wolfgang Knauf <wolfgang.knauf(a)gmx.de>
Kopie (CC): "undertow-dev(a)lists.jboss.org" <undertow-dev(a)lists.jboss.org>
Datum: 09.08.2014 14:33
Hi,
Although it's not directly what you asked, one thing which you may want
to take into account is that in the web layer (via HttpServletRequest)
the user/caller principal corresponding to the unauthenticated identity
is always null. When using the EJBContext that same user/caller
principal is something container specific (although contrary to the web
layer never null).
EJB is underspecified here (just as the run-as principal). Likewise, the
way in which a security context established in the web layer propagates
to EJB is not clear either. There's a vague paragraph about a security
domain that should be consulted, which JBoss takes very literally (for
secured beans it attempts to re-authenticate instead of propagating the
established context), for non-secured beans it doesn't do this.
Finally there are a couple of implementation differences between JBoss'
native login modules and the Java EE standard JASPIC ones. For JASPIC
you would call HttpServletRequest.authenticate() and the "login module"
(SAM) would pass a null to the CallerPrincipalCallback in order to
establish the unauthenticated identity.
Hope this somehow helps.
On Friday, August 8, 2014, Wolfgang Knauf <wolfgang.knauf(a)gmx.de
<mailto:wolfgang.knauf@gmx.de>> wrote:
Hi guys,
I try to sort out the "unauthenticatedIdentity" feature for JAS login
modules in WildFly 8.
To my understanding, when logging in without username/password, the
login module should fallback to this "unauthenticatedIndentity", which
can only access public content (e.g. unsecured or @PermitAll ejb
methods).
But without a login, my public ejb method shows that
"this.sessionContext.getCallerPrincipal().getName()" returns
"anonymous", which is NOT the "unauthenticatedIdentity" value.
And "httpRequest.login(null, null)" will fail because of the Undertow
implementation.
How can a switch to the user name declared in the
"unauthenticatedIdentity"?
Same question e.g. here:
https://community.jboss.org/thread/237899
Seems I have a basic misunderstanding about this ;-), but I don't find a
clear explanation in the web...
Best regards
Wolfgang Knauf
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org <javascript:;>
https://lists.jboss.org/mailman/listinfo/undertow-dev