This is going to be a long post, so please be patient :)).
We are currently developing a middle tier application hosted on Weblogic. We have users, groups and roles stored in Oracle Internet Directory (LDAP product from Oracle). The choice of both Weblogic and Oracle Internet Directory has been made on our client's request.
We are required to expose EJB and webservices to external applications written in Java and C/C++. We also have to maintain security of our data, by restricting access to the exposed EJB and webservice interfaces.
Preferably, I would have wanted the design not to use container specific APIs, but I find that JAAS implementation for containers is very different for each container - and somehow, we are compelled to use some container specific APIs. If anyone can suggest a better and standard J2EE technique, it would be most helpful.
Accordingly, the design I have thought of is as follows-
1. Authentication - Expose a stateless session bean- LoginBean with a method accepting username and password from the client application. This would have no security restrictions.
The LoginBean would authenticate the user with the Oracle Internet Directory - I plan to write a custom authentication provider implementing javax.security.auth.spi.LoginModule and plug it into the default realm for weblogic.
2. The LoginBean would get the authenticated Subject using weblogic class Security.getCurrentSubject() and cache it in the middle tier and return a sessionid to the client application.
3. Authorization- For all further requests, client would send the sessionid to the middletier. The facade stateless session beans or webservices exposed to the client application would all have unrestricted access, but would internally call secure counterparts to actually execute the action. For this, they would use the sessionid to retrieve the Subject from the cache and use weblogic.security.Security.runAs(subject, privilegedAction) method to carry out the operation. So, this is how the authorization would be done for the operations.
I have tested this with a small program and it is all working properly. However I am not sure if this is an optimum design. I have designed it this way, so that I can use the same stateless session EJBs for exposing as web services, and besides C/C++ clients cannot use JAAS. So all JAAS related operations should be internally taken care of by the middle tier application.
Another doubt I have is regarding Security.getCurrentSubject(). How safe is this? If we have multiple threads, all getting authenticated at the same time, will this method take care to return the currentSubject for the particular thread only? The weblogic API documentation for this method is not very clear.
Is it possible to use identity assertion instead of caching the subject? Where can I find good examples for the same.