J2EE security
Ok, here we go.
In base J2EE security model there are two main concepts. It is groups and roles. So every logged
user can act in some roles and there a lot of quite usefull stuff for developer to deal with it like isUserInRole() or <logic:present>. But if you look in JBoss, it uses security model called JAAS. And there is this concept named Principal. Main idea is that when someone logged in he have got set of Principals and Principal is just some interface that you can implement everywhere.
And if you'll look in UserPasswrdLoginModule abstract class you'll find out method
And in this case Group implements Principal and is some group of other Principals. If you have only
Roles in your application, you can just create one Group named "Roles", and put here some objects of SimplePrincipal class, so you'll get roles based policy in your application. But sometimes you need to know some additional information about logged user. For example your application can use some kind of resources, and you need to know which resources can be used by user. So you can create additional Group named for example 'Resources' and put resouces ids into it. Problem is that with all it flexebility of using roles in process of development, there no any tools to use some additional Groups. So you'll need to write it yourself.
I have spent about a day tring to find easy way to get subject of current logged user, and when i was close to give up, I found this
using this PolocyContext class you'll able to get subject and this means, you'll able to get all current Prinipals like this
First pincipal in this set is always SimplePrincipal instance, that contains username information.
In base J2EE security model there are two main concepts. It is groups and roles. So every logged
user can act in some roles and there a lot of quite usefull stuff for developer to deal with it like isUserInRole() or <logic:present>. But if you look in JBoss, it uses security model called JAAS. And there is this concept named Principal. Main idea is that when someone logged in he have got set of Principals and Principal is just some interface that you can implement everywhere.
And if you'll look in UserPasswrdLoginModule abstract class you'll find out method
java.security.acl.Group[] getUserRolesSet()
And in this case Group implements Principal and is some group of other Principals. If you have only
Roles in your application, you can just create one Group named "Roles", and put here some objects of SimplePrincipal class, so you'll get roles based policy in your application. But sometimes you need to know some additional information about logged user. For example your application can use some kind of resources, and you need to know which resources can be used by user. So you can create additional Group named for example 'Resources' and put resouces ids into it. Problem is that with all it flexebility of using roles in process of development, there no any tools to use some additional Groups. So you'll need to write it yourself.
I have spent about a day tring to find easy way to get subject of current logged user, and when i was close to give up, I found this
Subject subject = PolicyContext.getContext("javax.security.auth.Subject.container");
using this PolocyContext class you'll able to get subject and this means, you'll able to get all current Prinipals like this
Set principals = subject.getPrincipals();
First pincipal in this set is always SimplePrincipal instance, that contains username information.
posted by Ilya Platonov @ 8:33 PM
0 Comments:
Post a Comment
<< Home