Discussions

EJB programming & troubleshooting: How do I reach JAAS Subject in my JCA adapter

  1. How do I reach JAAS Subject in my JCA adapter (6 messages)

    Hi!

    I want to use JAAS to logon to an EIS to get some session information. This session information must be past to the EIS system each time the EIS is used. I have written the logon module in JAAS and I have also written the JCA adapter but when my jsp client code gets the javax.resource.cci.Connection instance (after it is signed on to the EIS) the subject passed to my ManagedConnection is null.

    Do I have to use the Subject.doAs(...) method to reach the Subject that contains my session information? I've heard that it scould be possible to get the Subject from the Thread.currentThred() in Weblogic 6.1 that i'm using...

    Any help is appricted!

  2. Since noone has answered my question - I try to do a follow up here... Q:)

    I have now tried to get the Subject in my ManagedConnectionFactory that is a part of my JCA adpater implementation. The constructor seems to be called with subject=null regardless of wheater using the doAs() method or not. I have found a way around this however. By calling

    acc = java.security.AccessController.getContext();
    Subject subject = Subject.getSubject(acc);

    ...I get the subject containing the session information that I need. But this is only the case when the code is located inside the a PrivilegedAction run by the doAs() method.

    My question now is - what will happen when I distribute my application (by doing remote calls to remote EJBs etc). Will the subject be distributed as well or will I get a weak design using this approach? Obviously I have answered my own question - I have to use the doAs() method - but ofcourse this raised a new critical question.

    I would be very happy if someone could help me with this issue or maybe tell me where to look for the answers... :)

  3. This might seem very obvious but have you refered to :

    http://e-docs.bea.com/wls/docs61/jconnector/security.html

    ?

    cheers,
    AT
  4. Tanks for your time!

    Yes I have read the documentation for WL6.1 at bea. They talks about configuring a Security Map this seems to be a temporary solution because in WL7.0 this feature is deprecated...

    Bea says that if I try to use Container-managed sign on without configuring the Security Map in the weblogic-ra.xml file i will recieve a NULL subject in my managedConnectionFactory. They call this a third approach that does not fit into either Non-managed Sign-On or Container-managed Sign-On.

    As far as I understand - the container managed sign on suppose that my Application wants to connect to the EIS as one user (or maybe a few different users) but in my application every user must logon on to the EIS.

    What I want to do is use the subject (= the subject that I added information to in my LoginModule) in my ManagedConnectionFactory and then use this information and some session information for the EIS without passing these parameters explictly to some EJB interface or ValueObject (ie letting JAAS pass a subject to my JCA adapter)...

    As I've mentioned before - if I use java.security.AccessController.getContext() it works the way I want but I do not know if it is safe rely on this context to get the subject I want???

    Any one who knows how JAAS AccessController and Subject.getSubject() behaves in a distributed application?

     
  5. can u tell me how u come up with JCA for particular EIS.
    I am trying to use that but couldn't able to get some API's for java from the specific EIS.

    thanks in advance.

    with regards,
    Radhakrishnan.
  6. Radhakrishnan,
    Please rephrase. I don't understand what you are trying to do.
  7. Dear Niklas,
    I'm currently working on a design for security within the EJB-layer of a larger application framework, and some concerns that I have relate to what you are trying to do. Although we do not want to delegate security checks to the EIS (as you seem to be doing), we do need perhaps fine-grained security checks in the EJB-layer. Or do we not?

    As a simple example, a normal user can view his user-profile, but not someone else's.

    The simplest option is to handle this in the client-layer. Here you do login, next you retrieve the profile of the authenticated user.

    You could also do extra checks in the EJB-layer. For instance, you could check that the name of the user-profile equals the name of the Principal, or even work with Subjects and credentials.

    The conceptual problem that bugs me is this: whatever you do in the EJB-layer, malicious client-code can always break security (for instance, by supplying the wrong name). But if we fully trust the client code, then why bother implementing security checks in the EJB-layer. (As opposed to role-based security, which is an entirely different security model altogether.)

    In your case, why don't you simply pass on the authentication parameters as free text to the EIS? Maybe this is a silly question, I'm just trying to get into the right mindset...