tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Louis MONTEIRO <>
Subject Re: Retrieving Group Principals
Date Tue, 17 Nov 2009 09:21:32 GMT


i would prefer that proposition to locate proprietary code.


Q Beukes wrote:
> Or maybe a better way would be to use a custom SecurityService (which
> could extend the GeronimoSecurityService) in some way? Though this
> would still require accessing the ThreadContext.
> Quintin Beukes
> On Sat, Nov 14, 2009 at 2:02 PM, Quintin Beukes <>
> wrote:
>> To achieve this I had a look at the OpenEJB code.
>> Would the following be a valid way of doing so. I understand it's not
>> portable at all, though like I mentioned this is acceptable for this
>> situation. Much of our authentication/authorization code for the
>> client side is not portable, as JavaEE doesn't provide much on this
>> topic. I tried to stay by the spec where possible, though.
>> So in:
>> ./container/openejb-core/src/main/java/org/apache/openejb/core/security/
>> I found getCallerPrincipal(). I noticed it access the security service
>> and fetch the Principals like so:
>>        ThreadContext threadContext = ThreadContext.getThreadContext();
>>        SecurityContext securityContext =
>> threadContext.get(SecurityContext.class);
>>        Set<Principal> principals =
>> securityContext.subject.getPrincipals();
>> Can I do this inside an EJB to access the principals as well? I figure
>> it should work, though I'd just like to be sure and I don't have any
>> way to test until tomorrow.
>> Thanks,
>> Quintin Beukes
>> On Sat, Nov 14, 2009 at 1:17 PM, Quintin Beukes <>
>> wrote:
>>> Hey,
>>> I've got a bunch of @RolesAllowed annotations, which basically
>>> reference the group principals of my users. They work perfectly.
>>> Further I can also retrieve the subject name by accessing the
>>> UserPrincipal through the EJBContext.
>>> How can I retrieve all the group principal, or "Role Names". This is
>>> available to OpenEJB, as it uses it to authorize my requests.
>>> I can't read them from the database, as the role names in the database
>>> are different from those used in OpenEJB. I'm using Geronimo role name
>>> mappings for this. For example, my EJBs would be annotated with
>>> @RolesAllowed({"Personnel Admin", "Personnel Read Access}), and then I
>>> have in the database a role "Lamp Room Staff". This role would then be
>>> mapped to a bunch of EJB roles, including "Personnel Read Access",
>>> "Create Lamp", "Assign Lamp", etc.
>>> For the server side it's fine to not have a list of the roles, as
>>> OpenEJB takes care of it all, and where more complex authorization is
>>> needed I just call ejbContext.isCallerInRole(...). Though my client
>>> side front end also has authorization in it. This is mostly just to
>>> show/hide actions allowed for a given user.
>>> As a temporary fix I have a method "List getOperatorRoles()", which
>>> takes a list of all roles and then iterates isCalledInRole, building a
>>> list based on the result of this method. I can't continue doing this
>>> though, as it increases maintenance and "breaks" modularity.
>>> How can I retrieve a list of all roles? Even if it means I have to go
>>> against the standard for this one thing, in which case I'll put it in
>>> a utility class which validates it's environment and raise an error +
>>> description when run in another server. This way when moving it I'll
>>> remember to find another way of achieving the same. I don't think this
>>> will happen anyway.
>>> Quintin Beukes

View this message in context:
Sent from the OpenEJB User mailing list archive at

View raw message