[jboss-user] [Security & JAAS/JBoss] - Re: ClientLoginModule and additional state

bidd do-not-reply at jboss.com
Tue Apr 29 05:18:22 EDT 2008

Thank you for the reply and sorry - I didn't quite make myself clear. Using state was not the correct term. 

Having read the JAAS tutorial I see that a Subject can have many principals. For instance a username, a social security number etc. Using the ClientLoginModule (from a remote java client) I was hoping that I could add addition principals to my Subject and the additional Principals would be available in the server in my custom login module. This isn't the case.

I think I know why now as in the SecurityClientInterceptor.java JBoss does the following:

public Object invoke(org.jboss.aop.joinpoint.Invocation invocation) throws Throwable
  |    {
  |       // Get Principal and credentials 
  |       Principal principal = SecurityActions.getPrincipal();
  |       if (principal != null) invocation.getMetaData().addMetaData("security", "principal", principal);
  |       Object credential = SecurityActions.getCredential();
  |       if (credential != null) invocation.getMetaData().addMetaData("security", "credential", credential);
  |       return invocation.invokeNext();
  |    }

So it appears that only a Principal and Credential are remoted to the server in the ejb call meta data. 

Not that I really know anything about it but I was expecting to see a Subject used rather than a Principal.

I'll investigate using a custom principal.

I can see no way from a remote java client to get information into the options and shared state maps as I understand it, they are purely for purposes of communication between login modules and for configuration options.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147457#4147457

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4147457

More information about the jboss-user mailing list