cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Losing JAAS subject entries in Custom LoginModule

Former Member

on ‎04-14-2008 9:34 AM

0 Kudos

Hi,

i have an application running on Tomcat, that uses JAAS authentication and authorization mechanismns against its own database.

To migrate the app to Netweaver 7.1, i wrote a Custom LoginModule depending on the SAP security API, that uses the external database an creates an technical user to acces the SAP Web-Container, but i have the problem of losing all my custom (principal-)roles set in the "Subject"-Object.

general approach for setting roles


Principal principal = new com.sap.engine.lib.security.Principal(value);
m_subject.getPrincipals().add(principal);

On the SAP WAS only the Principal (my technical user), explicit set in the "SharedState"-Object, "survieves" the login process.


// set SAP specific Loginname
m_sharedState.put(AbstractLoginModule.NAME, principalUser);

// set SAP specific Principal
m_sharedState.put(AbstractLoginModule.PRINCIPAL, new com.sap.engine.lib.security.Principal(principalUser));

What can i do to access my custom roles put to the Subject-Object in the application on this way?

request.isUserInRole(<ROLENAME>);

Any kind of ideas welcome...

Thomas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Vlado
Advisor
Advisor
‎04-14-2008 11:46 AM
0 Kudos

Please have a look at this [thread|;.

Hope it helps!

\-- Vladimir

Show replies
Show replies
Former Member
‎04-14-2008 12:14 PM
0 Kudos

Thank you for the answer,

but this is quite not the problem i have.

The authentication again the UME Store works fine, after this step i have the need to put dynamical some role information in the subject. This happens by the approach mentioned before:


Principal principal = new com.sap.engine.lib.security.Principal(value);
m_subject.getPrincipals().add(principal);

This fragment is called multiple times to transport additional information, which is not user specific, to configure the application.

"Normally" (e.g. Tomcat or JBoss) you can grap at this informations later in your application somehow like this


if(request.isUserinRole(param1){
...
}
else if(request.isUserinRole(param2){
...

So the right question for my problem might be, "Is it possible to set programmatically some further informations in the subject (subject.getPrincipal.add(...)) or all informations have to come from the UME Store, managed by the container?"

Regards

Thomas

former_member293232
Explorer
‎04-15-2008 7:50 AM
0 Kudos

Hello Thomas,

I am not sure to what extent you are familiar with JACC specification. JACC (Java Authorization Contract for Containers) is part of Java EE 5 and NetWeaver 7.1 bases the authorization aspect of how Web Container manages the security of its applications on it. The specification states that when the application calls request.isUserInRole("<security-role-name>") the container must delegate the question to the JACC Policy Provider. In NetWeaver 7.1 the JACC Policy Provider in place is built on top of UME authorization model. The major benefit from this is that the same management tools and same API NetWeaver developers are already familiar with are are available to work with JACC. As a side-effect no role-related information is put into the Subject and as a result you cannot influence authorization decisions with a login module. This should explain the difference you experience with respect to other application servers.

Just as a side remark, probably with Tomcat and JBoss you are using a special principal class that is documented to work as a role principal. This would mean that you use some proprietary to these application servers interfaces. When you migrate to NW application server you need to convert to role principals that NWAS understands. But this would not be possible as NWAS does not use principals containing role information.

The other point you make - that principals set from your login module do not survive - is not correct. All principals and credentials you add to the subject during authentication are stored with the subject and are available for the whole session of the authenticated user. You simply cannot access them via the HTTP request API.

I can suggest two approaches you can consider to solve the task you have:

1. You can write your own JACC policy provider that handles the authorization data stored in the database of the application; or

2. You can get the principals of the authenticated subject from the application by accessing the subject directly and using its interface.

Best regards,

Stephan

Former Member
‎04-15-2008 9:00 AM
0 Kudos

Hello Stephan,

thank you for this answer.

I hoped that i would'nt have to spend so much time on the migration of my "legacy application" to NWA, some little coding and some declarative work would be sufficient, but now things become quite clear.

It will be a bigger effort and needs tasks of refactoring and redesign to achieve the goal.

Perhaps it is easier to solve the problem on the organizational layer.

Best Regards

Thomas

Ask a Question