From: Scott M S. <Sco...@jb...> - 2001-06-28 21:03:39
|
What your doing is correct, that is just a bug in the handling of the null credential. I have fixed this in main. In 2.4 there is an ability to set the principal of an unauthenticated user, but you cannot assign roles to it. It is not for allowing unauthenticated users access to secured beans. Rather it is for assigning the principal an unsecured bean would see by obtaining the caller principal when called by an unauthenticated user. You could come up with a generic UnauthenticatedLoginModule that would allow for the specification of the principal and roles that could be inserted into a domain's login configuration when unauthenticated users should be given default capabilities. ----- Original Message ----- From: "Konstantin Priblouda" <kpr...@ya...> To: <jbo...@li...> Sent: Thursday, June 28, 2001 11:07 AM Subject: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to developers. Maybe RFE > Hi all, > > I try to implement declarative security using Jboss. > Basic idea is to allow unauthenticated access to beans > placed under security domain. > ( and those bean have to be secured ) > > When I attempt access from web context ( or client ) > then container tries to authenticate. > ( principal and credential are of course null ) > > I wrote login module, which authenticates as > principal [say] "nobody" with assigned role "nobody" > under such conditions. > > Everything goes fine on the first bean invocation. > JaasSecurityManager also updates authentication cache. > > > On the second invocation there is an promblem - > authentication cache is there, so isValid() tries > to find information in cache. And it barfs exactly > here: > > if(subjectCredential.getClass().isAssignableFrom(credential.getClass()) > == false ) > ( well , credential is null ) > > And here comes the question: > Is it possible to have some kind of "default" > principal > under "default" role? With configurable behaviour? > Or is there better way to do this? > (disabling security domain on beans is not an option) > > I will patch JaasSecurityManager to my needs for now. > Interested people shall ask for source. > > tia, > |