5

I'm trying to write my own ServerAuthModule, to use a custom login system.

If I understood everything right, what happens is that the container calls the validateRequest method for every incoming request, and that my SAM will check for credentials, and tell the container the username and groups of the user (if the credentials are right) via the CallbackHandler. 

public class MySAM implements ServerAuthModule {

    @Override
    public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {

        // check user credentials
        ...

        // set username and groups
        CallerPrincipalCallback cpCallback = new CallerPrincipalCallback(clientSubject, username);
        GroupPrincipalCallback gpCallback = new GroupPrincipalCallback(clientSubject, groups);
        callbackHandler.handle(new Callback[]{cpCallback, gpCallback}

        return AuthStatus.SUCCESS;
    }

    ...
}

My problem now is, that when a user logs in, I don't know to which groups the user belongs. I can only check whether the user is in a given group. Is it somehow possible to give the container a method with which it can check whether a user is in a given group, instead of giving it an array with groups in the validateRequest method?

boolean isInGroup(String username, String group) {
    // ask backend system
}
Misch
  • 10,350
  • 4
  • 35
  • 49
  • 1
    Adding to the answer, I've implemented exactly this as an example of what can be done with custom authorization rules. See http://arjan-tijms.omnifaces.org/2016/07/simplified-custom-authorization-rules.html – Arjan Tijms Jul 25 '16 at 11:49

1 Answers1

5

What you're doing looks right indeed.

There's no concept in JASPIC of handing the container a method like you intend. The container creates a set of Principals from the groups array you give it, and there's no room for a method there.

In Java EE, JACC should be able to do this. A JACC policy provider is consulted everytime the isUserInRole question needs to be answered and everytime it needs to be decided whether a user has some permission (eg allowed to access /adminpanel).

At that point you can do a kind of reverse check to see what role is required for a given Permission (using the role to Permission Maps that JACC builds up at startup time). With that role you can then use your own logic to determine if the user indeed has that role or group.

Mike Braun
  • 3,729
  • 17
  • 15