[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-2468) WSRP Identity Propagation users WSRP user context and should use WS-Security
Aaron Pestel (JIRA)
jira-events at lists.jboss.org
Fri Jan 29 22:34:19 EST 2010
WSRP Identity Propagation users WSRP user context and should use WS-Security
----------------------------------------------------------------------------
Key: JBPORTAL-2468
URL: https://jira.jboss.org/jira/browse/JBPORTAL-2468
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal WSRP
Environment: EPP 4.3 CP03
Reporter: Aaron Pestel
Assignee: Chris Laprun
The current WSRP implementation passes the username via the WSRP user context, which according to the spec is not the purpose of the user context.
I have created a wiki that offers a potential solution. It involves two jax-rpc handers (one to generate the ws-security header on the consumer and one to parse and authenticate the ws-security header on the producer). In addition, org/jboss/portal/wsrp/producer/RequestProcessor.java needs to be changed to use the authenticated user's context rather than the information passed in the wsrp user context. Source code for these pieces is in the JARs at this wiki: http://community.jboss.org/wiki/JBossEPP43-WSRPwithWS-SecurityandSSL
Here is the current implementation of RequestProcessor that pulls security information from the WSRP user context, followed by my proposed implementation:
-------------------------------------------------------------------------------------------
// fix-me: check that the correct semantics is used.
private SecurityContext createSecurityContext(final MarkupParams params, final RuntimeContext runtimeContext,
final org.jboss.portal.wsrp.core.UserContext wsrpUserContext)
{
return new SecurityContext()
{
public boolean isSecure()
{
return params.isSecureClientCommunication();
}
public String getAuthType()
{
return runtimeContext.getUserAuthentication();
}
public String getRemoteUser()
{
if (wsrpUserContext != null)
{
return wsrpUserContext.getUserContextKey();
}
return null;
}
public Principal getUserPrincipal()
{
return null;
}
public boolean isUserInRole(String roleName)
{
return wsrpUserContext != null && Tools.isContainedIn(roleName, wsrpUserContext.getUserCategories());
}
public boolean isAuthenticated()
{
return wsrpUserContext != null;
}
};
}
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
// fix-me: check that the correct semantics is used.
private SecurityContext createSecurityContext(final MarkupParams params, final RuntimeContext runtimeContext,
final org.jboss.portal.wsrp.core.UserContext wsrpUserContext)
{
final Request r = ((org.apache.catalina.connector.Request)(SecurityAssociationValve.activeRequest.get()));
return new SecurityContext()
{
public boolean isSecure()
{
return r.isSecure();
}
public String getAuthType()
{
return r.getAuthType();
}
public String getRemoteUser()
{
return r.getRemoteUser();
}
public Principal getUserPrincipal()
{
return r.getUserPrincipal();
}
public boolean isUserInRole(String roleName)
{
return r.isUserInRole(roleName);
}
public boolean isAuthenticated()
{
return r.getUserPrincipal() != null;
}
};
}
-------------------------------------------------------------------------------------------
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list