Announcement Announcement Module
No announcement yet.
JAAS - Acegi Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • JAAS - Acegi

    I have a simple question with respect to JAAS and acegi. I hope Ray Krueger is checking this forum.
    1. After login, JAAS returns a set of principals one of which is the username and the other is a group with the list of authorities.
    getPrincipals has (username and a group containing the roles).
    Now, my problem is
    granter.grant returns only a single role while the principal is actually a group.
    In this case, the principal is group called ROLES with members ADMIN and USER.
    AuthorityGranter granter = authorityGranters[i];
    String role = granter.grant(principal);

    i was hoping there was a solution to this without extending the JAASAuthenticationProvider.

  • #2
    Some of this depends on the JAAS login module your using and such, but let's see if I understand this correctly...

    Your subject.getPrincipals() returns 2 elements
    A principal representing the User
    A principal representing a Group that user belongs to

    You want to return many roles, based on information extracted from that single group, correct?

    Unfortunately, the AuthorityGranter interface only allows returning one String representing a role. So you could write an AuthorityGranter that returns ROLE_ADMIN if the principal is the Administrators group. And do basically the same if the user is in a Users group.

    It sounds like you want to return multiple roles based on a single principal. A completely understandable request, that unfortunately Acegi doesn't support right now.

    The AuthorityGranter interface should define itself as...
        public Set grant(Principal principal);
    That would really provide the greatest flexibility.

    Would that help?


    • #3
      You can ignore most of what I said above. Except for the part where I said the AuthorityGranter interface should return a java.util.Set, it does now. I just committed that change and tests to verify it.



      • #4
        Will this change be in .9.0 ?

        I had a similar problem but I was extending JaasAuthenticationProvider to handle the returned principals in a way I wanted, but this change should resolve my problem without extending the provider.


        • #5
          What the Set should contain?
          Set of Roles (as String)? Or Principal


          • #6
            Yep, the code has already been checked into CVS. You can use it now if you pull it from there.

            The Set can contain strings, or anything that .toString() returns as a valid role name really. So if the set contains your own objects and .toString() returns ROLE_USER for example, that's fine. For safety's sake, filling it with Strings is the better route though.



            • #7
              Acegi security

              I am interested in library Acegi Security for Spring, and i have gote some questions about it:
              how looks like
              - service of authentication and authorization in web application - access to pages (URL)
              - service of authentication and authorization - access to class method (business functions)
              - service of authentication and authorization in(RMI, http, soap)
              - service of authentication by passwords, token securid, SMS password , one use password
              - possibillity of use LDAP
              - service of access list for data objects
              - possibillity of use wicket application

              thanks for any answers