views:

676

answers:

4

I want to access the full model of users with their roles in my SOAP app. For example, I might want to know the role of a user called "Fred."

How do I reach into some sort of global JAAS registry and do (pseudocode) globalRegistry.getUser("Fred").getPricipals()? (Note that in JAAS, roles are represented by Principals.)

I know how to get the Principal of the Subject from the LoginContext, but that has two problems.

  1. It is only at the moment of login, and I'd prefer not to code the aforementioned registry and store the Subject and Principal objects myself, as I they are already stored by the appserver.
  2. Preferably, I want to be able to access this information even when Fred is not the current user.

I am using Jetty, but I presume that these behaviors are standard to JAAS.

+1  A: 

To me, it seems this mizes appsever's users, groups etc. with J2EE application roles.

  • Getting permissions of a certaion user is a administration task and usually has to be accomplished using appserver-specific APIs.
  • JAAS programming model works on higher level of abstratcion. It only provides the information whether a user is in a J2EE role (defined within the application)
david a.
+1  A: 

We use a ThreadLocal variable to reference the current user as has been authenticated at the system entrypoint (a servlet or ejb in our case). This allows 'global' access to the current user. This is not directly tied to JAAS or any other security protocol, but can be initialized from them.

EDIT: The return from the ThreadLocal is the Subject for the current user.

Accessing other users would typically be done via some type of admin module.

Robin
A: 

Robin, can you put any example's code? Thanks

Juanjoc
A: 

I believe that JAAS was designed to not really allow what you are trying to do. I know in the apps I've built that I needed that sort of functionality I had to side-step JAAS and program directly to whatever the actual identity repository was, be it LDAP, ActiveDirectory or whatever.

mezmo