-
1. Re: JBoss 4.2 related discussion
starksm64 Feb 16, 2007 8:21 PM (in response to anil.saldhana)We just need to support the introduction of static roles. Where authentication is done to obtain a Subject, a post authentication interceptor can be added to optionally associated deployment level roles + mappings. This interceptor would have to be in between the authentication and authorization interceptors.
In the web container, the construction of the JBossGenericPrincipal roles needs to consult the deployment metadata. -
2. Re: JBoss 4.2 related discussion
anil.saldhana Feb 16, 2007 11:20 PM (in response to anil.saldhana)"scott.stark@jboss.org" wrote:
We just need to support the introduction of static roles. Where authentication is done to obtain a Subject, a post authentication interceptor can be added to optionally associated deployment level roles + mappings. This interceptor would have to be in between the authentication and authorization interceptors.
In the web container, the construction of the JBossGenericPrincipal roles needs to consult the deployment metadata.
That made perfect sense. Thanks Scott. -
3. Re: JBoss 4.2 related discussion
anil.saldhana Feb 22, 2007 5:21 PM (in response to anil.saldhana)An issue that I did not originally think of, is the subject after authentication is read-only. Cannot do much about adding roles into the subject.
The PolicyContext getContextSubject is creating a read-only subject in the SubjectPolicyContextHandlertheSubject = new Subject(true, principalsSet, activeSubject.getPublicCredentials(), activeSubject.getPrivateCredentials());
I can probably use the SecurityAssociation.getSubject in the intermediate interceptor such that during authorization, the getContextSubject can return the read-only subject. -
4. Re: JBoss 4.2 related discussion
starksm64 Feb 22, 2007 7:10 PM (in response to anil.saldhana)The PolicyContext would just be a copy even if it was not read-only. One way would be to simply add the roles to the invocation and update the authorization interceptor logic to look there in addition to the RealmMapping.doesUserHaveRole call. Not having the roles assigned to the Subject is the direction we are heading anyway.
-
5. Re: JBoss 4.2 related discussion
anil.saldhana Feb 22, 2007 7:15 PM (in response to anil.saldhana)There is no need to add the roles to the invocation. The principal to role mapping can be obtained via the org.jboss.metadata.AssemblyDescriptorMetaData principal to role mapping, which is available on the container passing into the interceptor.
For 5.0, this is not an issue as we can use role mapping logic before authorization in the build up of the security context. -
6. Re: JBoss 4.2 related discussion
starksm64 Feb 22, 2007 7:29 PM (in response to anil.saldhana)ok, good.