Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

What your doing is correct, that is just a bug in the handling of the null
credential. I have fixed this in main.

In 2.4 there is an ability to set the principal of an unauthenticated user,
but you cannot assign roles to it. It is not for allowing unauthenticated
users access to secured beans. Rather it is for assigning the principal
an unsecured bean would see by obtaining the caller principal when
called by an unauthenticated user.

You could come up with a generic UnauthenticatedLoginModule that
would allow for the specification of the principal and roles that could
be inserted into a domain's login configuration when unauthenticated
users should be given default capabilities.

----- Original Message ----- 
From: "Konstantin Priblouda" <kpr...@ya...>
To: <jbo...@li...>
Sent: Thursday, June 28, 2001 11:07 AM
Subject: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE

> Hi all, 
> 
> I try to implement declarative security using Jboss. 
> Basic idea is to allow unauthenticated access to beans
> placed under security domain. 
> ( and those bean have to be secured )
> 
> When I attempt access from web context ( or client )
> then container tries to authenticate. 
> ( principal and credential are of course null )
> 
> I wrote login module, which authenticates as 
> principal [say] "nobody" with assigned role "nobody" 
> under such conditions. 
> 
> Everything goes fine on the first bean invocation.
> JaasSecurityManager also updates authentication cache.
> 
> 
> On the second invocation there is an promblem - 
> authentication cache is there, so isValid() tries
> to find information in cache. And it barfs exactly
> here:
> 
> if(subjectCredential.getClass().isAssignableFrom(credential.getClass())
> == false )
> ( well , credential is null )
> 
> And here comes the question:
> Is it possible to have some kind of "default"
> principal
> under "default" role? With configurable behaviour?
> Or is there better way to do this?
> (disabling security domain on beans is not an option)
> 
> I will patch JaasSecurityManager to my needs for now. 
> Interested people shall ask for source. 
> 
> tia,
> 