How do I access JAAS roles at arbitrary point in the code?

4
votes

I want to access the full model of users with their roles in my SOAP app. For example, I might want to know the role of a user called "Fred."

How do I reach into some sort of global JAAS registry and do (pseudocode) globalRegistry.getUser("Fred").getPrincipals()? (Note that in JAAS, a role is represented by a Principal.)

I know how to get the Principal of the Subject from the LoginContext, but that has two problems.

  1. It is only at the moment of login, and I'd prefer not to code the aforementioned registry and store the Subject and Principal objects myself, as they are already stored by the appserver.
  2. Preferably, I want to be able to access this information even when Fred is not the current user.

I am using Jetty, but I presume that these behaviors are standard to JAAS.

5
javasecurityjaasrolesecurity-roles

5 Answers

5
votes

A pattern i have seen is:

AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set<Principal> principals = subject.getPrincipals();

Essentially, this finds the subject currently associated with the current thread, and asks for its principals.

One example of the use of this is in Apache Jackrabbit's RepositoryImpl. It's in the extendAuthentication method, whose job is to determine what Jackrabbit rights the current thread has when creating a new session (i think).

However, i should note that this may not necessarily actually work, at least in J2EE contexts. I'm using this code under JBoss AS7, and it doesn't find a subject. That might just be a bug, though.

3
votes

We use a ThreadLocal variable to reference the current user as has been authenticated at the system entrypoint (a servlet or ejb in our case). This allows 'global' access to the current user. This is not directly tied to JAAS or any other security protocol, but can be initialized from them.

EDIT: The return from the ThreadLocal is the Subject for the current user.

Accessing other users would typically be done via some type of admin module.

1
votes

To me, it seems this mizes appsever's users, groups etc. with J2EE application roles.

  • Getting permissions of a certaion user is a administration task and usually has to be accomplished using appserver-specific APIs.
  • JAAS programming model works on higher level of abstratcion. It only provides the information whether a user is in a J2EE role (defined within the application)
1
votes

I believe that JAAS was designed to not really allow what you are trying to do. I know in the apps I've built that I needed that sort of functionality I had to side-step JAAS and program directly to whatever the actual identity repository was, be it LDAP, ActiveDirectory or whatever.

0
votes

In a EJB use 

@Resource(mappedName = "java:comp/EJBContext")
protected SessionContext sessionContext;

And try with context.lookup("java:comp/EJBContext") at any point.

This code is for JBoss server family, for others look in their JNDI to find it.