Controlling the security Principle passed on a EJB call

Question

Hello, I am working on a large existing EJB 1.1 application that current does its own sercurity and has no EJB managed security.

I am trying to move to a more standard solution in small steps, and so I want to start controlling the security Principle being passed to the EJB. I am not going to be able to change the current login or security framework, so I don't belive I can move to JAAS at the present time.

Once I have created a java.security.Principle where do I store it so it is passed in my ejb calles and avalable from context.getCallerPrincipal()?

Thanks.

Answer 1

JEE security is a bit a all-or-nothing thing. You are supposed to use JEE authentication mechanism to have the security context correctly set. As you can see, the EJBContext that you can obtain through injection is read-only.

The only standard way I'm aware of to change the security context, is using things like @RunAs (See an example), but it's very inflexible. You can not pass credential dynamically.

There are some non-portable container-specific mechanism, for instance Glassfish has ProgrammaticLogin. But even in this case, you need to pass the username/password, you can not just change the Principal on the fly.

I remember reading articles where they explained how to set the security context manually using internal API of the container, but it's of course non-portable and not supported.