I noticed that JBoss' JACCAuthorizationManager only passes the role
principals (if any) into a JACC module, as per the following code:
// create a protection domain with the user roles (or account principal if
no roles are found)
final Map<String, Set<String>> principalVersusRolesMap =
final Principal principals = this.getPrincipals(account,
final CodeSource codeSource =
final ProtectionDomain protectionDomain = new
ProtectionDomain(codeSource, null, null, principals);
If there happen to be no roles, then and only then is the caller principal
passed to the JACC module.
I wonder if there was any specific idea here. The comment explicitly
indicates this, so it doesn't just seem a bug. But this is quite, unusual,
and also a bit confusing for a JACC module to work with.
As far as I know, no other server does this (at least GF, Payara, Geronimo,
JEUS and TomEE don't do this). You always see all the principals from the
Subject being passed in.
A JACC module can work around this by obtaining the subject directly using
still wondering why JBoss doesn't just pass all principals here.
Any insight would be appreciated.
Show replies by date