[jboss-dev-forums] [Design of Security on JBoss] - Re: Custom Principal Propagation Related
anil.saldhana@jboss.com
do-not-reply at jboss.com
Thu Sep 21 14:20:30 EDT 2006
Workflow:
1)User logs into webapp.
2) JBossSecurityMgrRealm gets called with userid=aaa,password=hello
3) JBossSecurityRealm.authenticate(username,pass)
{
//Create a simple principal to be passed to jaas
SimplePrincipal sp = new SimplePrincipal(aaa);
//Get the security manager
securityMgr.isValid(sp,"hello");
/** Note in the isValid call, the jaas framework gets called and custom LM creates a custom principal. ClientLM pushes it on the SA stack. The SA stack has the custom principal on the stack.
**/
//Ok
SecurityAssociation.push(sp, hello);
}
4) Request lands at the servlet.
5) In the servlet, there is call on an ejb (There is no explicit jaas login here)
6) In the proxy, the SecurityInterceptor picks up the latest principal from the SA stack (that happens to be the last call on the SA done by the SecurityMgrRealm)
7) The ejb is unhappy that it did not get the custom principal and chokes with a CCE.
This usecase is when the web and the ejb components are in the same VM.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973359#3973359
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3973359
More information about the jboss-dev-forums
mailing list