Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

How does getCallerPrincipal() works in real life

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all,
can anyone pls tell me what happens behind the scene when we call context.getCallerPrincipal() method.
Why do we need it, how internally does it correspond to x509 certificate.
I would like to have an example how can we use it, with proper bean code.
thanks on advance for any help on this regard.
sudeep
 
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do we need getCallerPrincipal?
This method is used for programmatic security. The security information you put in the deployment descriptor is at the class level. It says, anyone in this role can call these methods on this class.
To better understand why you would need programmatic security, imagine this scenario: You've got a website where people can post questions and comments. You only want the person who posted a comment to be able to delete the comment. In your deployment descriptor, you say that any logged in user can post and delete comments. Then, in your code, you must say that only the person who created the comment can delete the comment, not just any logged in user.
Here's an example:
Principal p = context.getCallerPrincipal();
String name = p.getName();
if(name.equals(myEntity.getAuthorName()))
{
myHome.remove(myEntityPK);
}
 
Ranch Hand
Posts: 775
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What happens behind the scenes varies with the container, but these days you'll typically find something based on JAAS. The administrator configures the container to provide one or more authentication mechanisms and one or more authorization mechanisms. The application descriptors indicate declaratively the authentication and/or authorization needs of the app. The authentication mechanism could be almost anything, e.g.:
- HTTP basic password login
- trusted 3rd-party verification of an SSL client certificate
- home-brew mechanism
The authentication mechanism simply establishes who you are. The authentication mechanism then provides a principal implementation. The principal may or may not have data in it obtained from an x509 certificate; that would be determined by the implementation. For all you know the server could just use the certificate during authentication to map a user into a UNIX filesystem group, and the principal content would have almost nothing to do with the certificate. Sun's JAAS specification and tutorial docs make a point of this. What the principal is, and properties like principal.getName() contain, is very open to almost any implementation.
 
Sudeep das
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks reid,
i was actually getting confused by getCallerPrincipal() call. I was bugging me that how container is getting security info.
While reading ejb 2.0 spec, i also found that the getCallerPrincipal().getName() method may not return any specific login id. That could be anything the server specifies. Could be an arbitary role alltogather. Or a persons login.
In ejb 2.0 spec page 438, sun has shown an example on getCallerPrincipal.getName(), using a prim-key search.
Is it only way of doing this... pls provide me with any other way (practicle) way of implementing it...
thanks to both of u for your helpful and proper reply.


sudeep
 
She said she got a brazillian. I think owning people is wrong. That is how I learned ... tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic