How to change the JAAS context from an interceptor?

Question

I want to ask if it is possible to change the Java EE JAAS Context (assigned user roles) from an EJB interceptor?

I have a few EJB Session beans which are using the method 'isUserInRole()' to test for authorization. On the other hand my application is managing user profiles with some special information which can not be mapped to the JAAS roles/groups managed through the application Java EE realm, because they are created during runtime.

My idea is to implement something like an EJB interceptor, check the informations stored in the users profile form my application, and add some new custom roles to the users credentials/subject.

So the result would be a new dynamic role definition assigned to the credentials which can be asked by my session beans. But these roles will not be hard coded in the ejb (@RolesAllowd) or in the ejb-jar.xml or sun-ejb-jar.xml descriptors.

Thanks for any help in this question.

Answer 1

Changing an already established security context is hard, but if initially setting a security context also works for your situation, you have to look at a custom login module.

In Java EE, this can be done via the JASPI API, which builds on JAAS.

Nearly every application server also has a proprietary API to do this, most of them building on JAAS as well.