2 Replies Latest reply on Jan 13, 2006 1:27 PM by starksm64

    JACC provider under JBoss 4.0.3

    akrestan

      Hi

      I am experiencing following behaviour when using custom JACC provider with 4.0.3 (I have done configuration JaasAuthenticationInterceptor, JaccAuthorizationInterceptor JBoss plugins, JaccAuthorizationRealm in Tomcat sar, and other settings for JACC provider):

      1a) during call from a "runAs" configured EJB to another EJB the javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container") method returns subject populated with a SimplePrincipal that contains the "runAs" role name, not the "runAs" principal configured in jboss.xml for the EJB.

      1b) during call from a "runAs" configured servlet to EJB the javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container") method returns subject with no principal although the servlet has the "runAs" principal configured in jboss-web.xml.

      However the internal SecurityAssociation.getCallerPrincipal() does return the configured "runAs" principal at least in the EJB container.

      JACC 1.0 specification chapter 4.6.1.1 says caller's or runAs identity should be returned, but I am not sure what is meant by it. I am trying to control access to components based on identity, e.g. username of the user that is authenticated and in case of "runAs" on the principal configured for the "runAs" role.

      2) when EJBContext.getCallerPrincipal() is called in an EJB that is called from an EJB with configured "runAs" role the principal I am getting is the principal that has authenticated to the container, not the principal associated with the "runAs" role. However, if the caller is NOT authenticated to the EJB container the same call returns principal that IS associated with the "runAs" role. I am using custom login module not inherited from JBoss abstract login modules.

      3) the call to SessionContext.isCallerInRole(String roleName) does not consult the JACC provider. IMO it should check for the EJBRoleRefPermission. The servlet container seems to be working OK, i.e. the call to HttpServletRequest.isUserInRole(String role) consults the JACC provider for WebRoleRefPermission.

      A.K.

        • 1. Re: JACC provider under JBoss 4.0.3
          starksm64

          Create a jira issue with the details of the deployment configuration.
          http://jira.jboss.com/jira/browse/JBAS

          • 2. Re: JACC provider under JBoss 4.0.3
            starksm64

            I see the same behavior for 1a and 1b. The Subject contains a single principal with a name equal to the run-as/role-name

            23:16:45,928 INFO [STDOUT] publicMethod, PolicyContext subject: Subject:
             Principal: identitySubstitutionCaller
            


            I have updated this to use the run-as principal and added the run-as roles in a group named "Roles" to be consistent with the default login module behavior:
            23:14:54,115 INFO [STDOUT] publicMethod, PolicyContext subject: Subject:
             Principal: Roles(members:identitySubstitutionCaller)
             Principal: [roles=[identitySubstitutionCaller],principal=runAsUser]
            


            2) the run-as principal should be returned consistently here because the run-as identity affects every callout made by the bean regardless of who the caller is.

            3) This is definitely a bug:
            http://jira.jboss.com/jira/browse/JBAS-2661