Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Returning a custom principal object in an ejb using getCallerPrincipal()

143 views
Skip to first unread message

justin...@sadalbari.com

unread,
Oct 20, 2008, 1:46:35 PM10/20/08
to
I have an EAR with a WEB and EJB module running on WAS 6.1.0.2 on Windows XP. Application security is turned on, and both the WAR's resources (SecureServlet) and the EJB (SecureEJB) are secured. Form based security is in place.

I have a requirement to return a custom principal in the EJB from the call:
sessionContext.getCallerPrincipal(). This caller principal will be populated in a JAAS login module.
I do not want to introduce any Websphere specific code into my EJB, so using 'WSSubject.getCallerPrincipal()' is not an option.

The documentation on this is a little scant (see references below). From what I can gather, I need to (correct me if I am wrong)
1) Create a Principal object in my JAAS login module
2) Ensure that the principal implements WSPrincipal (e.g. WSPrinccipalImpl)
3) Add the principal to the subject
4) Include the login module in one of the WEB_INBOUND JAAS configurations.

I still however cannot get my custom principal out of the method call.

System.out.println(
"CallerPrincipal: " + this.mySessionCtx.getCallerPrincipal().getClass().getName() +
" [" + principal + "]");

returns:
[08/10/20 18:13:48:062 CAT] 00000020 SystemOut O CallerPrincipal: com.ibm.ws.security.auth.Identity [admin]

I have also tried
* a custom class implementing the Principal interface and then specifying
AttributeNameConstants.ZOS_CALLER_PRINCIPAL_CLASS in the shared state
* Moving the custom login module around in the WEB_INBOUND system login configuration, which still contains the 2 original modules (com.ibm.ws.security.server.lm.ltpaLoginModule and com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule)

What do I need to do to get this to work?


--
References:
1) http://www-128.ibm.com/developerworks/forums/thread.jspa?messageID=13986631

2) http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_writesafmapmods.html

"// A Subject may contain more than one Principal. This value specifies the
// class of the Principal to be returned when the Subject is asked for the
// Caller Principal."

3) IBM WebSphere Application Server V6.1 Security Handbook - page 90 (Section 5.3.2)

Paul Ilechko

unread,
Oct 20, 2008, 6:12:42 PM10/20/08
to
justin...@sadalbari.com wrote:
> I have an EAR with a WEB and EJB module running on WAS 6.1.0.2 on Windows XP. Application security is turned on, and both the WAR's resources (SecureServlet) and the EJB (SecureEJB) are secured. Form based security is in place.
>
> I have a requirement to return a custom principal in the EJB from the call:
> sessionContext.getCallerPrincipal(). This caller principal will be populated in a JAAS login module.
> I do not want to introduce any Websphere specific code into my EJB, so using 'WSSubject.getCallerPrincipal()' is not an option.
>
> The documentation on this is a little scant (see references below).

http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html


htak...@us.ibm.com

unread,
Oct 23, 2008, 8:34:33 AM10/23/08
to
I recently came across similar issue where principal is not passed into WebSphere Subject from custom login module as expected that was due to missing just one operation (setting an hasthable).

You might already know but just in case, let me attach some info below. Hope it helps...

In the following article,
http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

look for "Create a custom subject with custom credentials" that shows TAI example on how to pass the custom Subject . Then later in "JAAS usage" section, "The hashtable shown here is assumed to have been created with the exact same format as was shown earlier in the TAI example" and it states the hashtable needs to be passed along.

0 new messages