Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How does getCallerPrincipal() works in real life

 
Sudeep das
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all,
can anyone pls tell me what happens behind the scene when we call context.getCallerPrincipal() method.
Why do we need it, how internally does it correspond to x509 certificate.
I would like to have an example how can we use it, with proper bean code.
thanks on advance for any help on this regard.
sudeep
 
Anthony Watson
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do we need getCallerPrincipal?
This method is used for programmatic security. The security information you put in the deployment descriptor is at the class level. It says, anyone in this role can call these methods on this class.
To better understand why you would need programmatic security, imagine this scenario: You've got a website where people can post questions and comments. You only want the person who posted a comment to be able to delete the comment. In your deployment descriptor, you say that any logged in user can post and delete comments. Then, in your code, you must say that only the person who created the comment can delete the comment, not just any logged in user.
Here's an example:
Principal p = context.getCallerPrincipal();
String name = p.getName();
if(name.equals(myEntity.getAuthorName()))
{
myHome.remove(myEntityPK);
}
 
Reid M. Pinchback
Ranch Hand
Posts: 775
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What happens behind the scenes varies with the container, but these days you'll typically find something based on JAAS. The administrator configures the container to provide one or more authentication mechanisms and one or more authorization mechanisms. The application descriptors indicate declaratively the authentication and/or authorization needs of the app. The authentication mechanism could be almost anything, e.g.:
- HTTP basic password login
- trusted 3rd-party verification of an SSL client certificate
- home-brew mechanism
The authentication mechanism simply establishes who you are. The authentication mechanism then provides a principal implementation. The principal may or may not have data in it obtained from an x509 certificate; that would be determined by the implementation. For all you know the server could just use the certificate during authentication to map a user into a UNIX filesystem group, and the principal content would have almost nothing to do with the certificate. Sun's JAAS specification and tutorial docs make a point of this. What the principal is, and properties like principal.getName() contain, is very open to almost any implementation.
 
Sudeep das
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks reid,
i was actually getting confused by getCallerPrincipal() call. I was bugging me that how container is getting security info.
While reading ejb 2.0 spec, i also found that the getCallerPrincipal().getName() method may not return any specific login id. That could be anything the server specifies. Could be an arbitary role alltogather. Or a persons login.
In ejb 2.0 spec page 438, sun has shown an example on getCallerPrincipal.getName(), using a prim-key search.
Is it only way of doing this... pls provide me with any other way (practicle) way of implementing it...
thanks to both of u for your helpful and proper reply.


sudeep
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic