tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quintin Beukes <>
Subject Re: Retrieving Group Principals
Date Sat, 14 Nov 2009 12:02:43 GMT
To achieve this I had a look at the OpenEJB code.

Would the following be a valid way of doing so. I understand it's not
portable at all, though like I mentioned this is acceptable for this
situation. Much of our authentication/authorization code for the
client side is not portable, as JavaEE doesn't provide much on this
topic. I tried to stay by the spec where possible, though.

So in: ./container/openejb-core/src/main/java/org/apache/openejb/core/security/
I found getCallerPrincipal(). I noticed it access the security service
and fetch the Principals like so:
        ThreadContext threadContext = ThreadContext.getThreadContext();
        SecurityContext securityContext =
        Set<Principal> principals = securityContext.subject.getPrincipals();

Can I do this inside an EJB to access the principals as well? I figure
it should work, though I'd just like to be sure and I don't have any
way to test until tomorrow.

Quintin Beukes

On Sat, Nov 14, 2009 at 1:17 PM, Quintin Beukes <> wrote:
> Hey,
> I've got a bunch of @RolesAllowed annotations, which basically
> reference the group principals of my users. They work perfectly.
> Further I can also retrieve the subject name by accessing the
> UserPrincipal through the EJBContext.
> How can I retrieve all the group principal, or "Role Names". This is
> available to OpenEJB, as it uses it to authorize my requests.
> I can't read them from the database, as the role names in the database
> are different from those used in OpenEJB. I'm using Geronimo role name
> mappings for this. For example, my EJBs would be annotated with
> @RolesAllowed({"Personnel Admin", "Personnel Read Access}), and then I
> have in the database a role "Lamp Room Staff". This role would then be
> mapped to a bunch of EJB roles, including "Personnel Read Access",
> "Create Lamp", "Assign Lamp", etc.
> For the server side it's fine to not have a list of the roles, as
> OpenEJB takes care of it all, and where more complex authorization is
> needed I just call ejbContext.isCallerInRole(...). Though my client
> side front end also has authorization in it. This is mostly just to
> show/hide actions allowed for a given user.
> As a temporary fix I have a method "List getOperatorRoles()", which
> takes a list of all roles and then iterates isCalledInRole, building a
> list based on the result of this method. I can't continue doing this
> though, as it increases maintenance and "breaks" modularity.
> How can I retrieve a list of all roles? Even if it means I have to go
> against the standard for this one thing, in which case I'll put it in
> a utility class which validates it's environment and raise an error +
> description when run in another server. This way when moving it I'll
> remember to find another way of achieving the same. I don't think this
> will happen anyway.
> Quintin Beukes

View raw message