Well, I'm having pretty much the same problem, where the Principal put into the CallerPrincipal Group is not the one returned in the JSP when you call request.getUserPrincipal(). Looks like I'm going code diving...

Hi,

I have posted the same problem some week ago, and none could help me.
Because JSP´s are handled by the embedded Tomcat, I have tried to find an answer at the tomcat-mailinglists. This is the only answer I got:

"you need a custom Realm
implementation, probably a simple extension of one of the existing Realms
(see the Realm how-to and server.xml for discussion and examples). This
realm will create your custom principal object.
"
The problem is that the embedded Tomcat doesn´t have a server.xml.
So I am afraid we need an answer from the JBOss-Specialisits.

Hope a.s.a.p
Yours

I don´t think it´s a Tomcat Problem, because the given Principal is a SimplePrincipal, which is a jboss Class. So JBoss didn´t do the right work.did it?

"anbenham" wrote:
I don't think it's a Tomcat Problem, because the given Principal is a SimplePrincipal, which is a jboss Class.

The problem is in the jboss tomcat integration :

You will ALWAYS get a SimplePrincipal in getUserPrincipal().
Here is a part of the authentication code in JBossSecurityMgrRealm :

public Principal authenticate(String username, String credentials)
{
...
// Get the JBoss security manager from the ENC context
AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");
principal = new SimplePrincipal(username);
char[] passwordChars = null;
if( credentials != null )
passwordChars = credentials.toCharArray();
if( securityMgr.isValid(principal, passwordChars) )
{
category.log(XLevel.TRACE, "User: "+username+" is authenticated");
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
}
else
{
principal = null;
category.log(XLevel.TRACE, "User: "+username+" is NOT authenticated");
}
...
return principal;
}

I think the LoginModule is called by securityMgr.isValid but the resulting LoginContext is never used.

Hi everyone. I came across the same issue whilst writing a security adapter for JBoss (www.acegi.com.au/security). You'll find the following will work:

import java.security.Principal;
import java.util.Iterator;

import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;

import au.com.acegi.springsecurity.Authentication;
import au.com.acegi.springsecurity.adapters.AbstractMvcIntegrationInterceptor;

/**
 * Populates a {@link SecureContext} from JBoss'
 * <code>java:comp/env/security/subject</code>.
 *
 * <p>See {@link AbstractMvcIntegrationInterceptor} for further information.
 *
 * @author Ben Alex
 * @version $Id: JbossMvcIntegrationInterceptor.java,v 1.2 2004/03/02 23:27:08 balex Exp $
 */
public class JbossMvcIntegrationInterceptor extends AbstractMvcIntegrationInterceptor {

 public Object extractFromContainer(HttpServletRequest request) {
 Subject subject = null;
 try {
 InitialContext ic = new InitialContext();
 subject = (Subject) ic.lookup("java:comp/env/security/subject");
 } catch (NamingException ne) {
 if (super.logger.isDebugEnabled())
 super.logger.warn("Lookup on Subject failed " + ne.getLocalizedMessage());
 }

 if (subject != null && subject.getPrincipals() != null) {
 Iterator principals = subject.getPrincipals().iterator();
 while (principals.hasNext()) {
 Principal p = (Principal) principals.next();
 if (super.logger.isDebugEnabled())
 super.logger.debug("Found Principal in container (" + p.getClass().getName() + ") : " + p.getName());
 if (p instanceof Authentication)
 return p;
 }
 }
 return null;
 }
}

A custom principal is used in the tomcat layer as of 3.2.4RC1 is the login module provides a group named CallerPrincpal that contains the custom principal.