4 Replies Latest reply on Jul 13, 2006 8:31 AM by j2ee_junkie

auth-method Form and Subject access

atorres Jul 12, 2006 2:36 PM

Hi.
I'm using auth-method Form for authentication on my web application. This worked fine , I can verify my current user by
request.getUserPrincipal()
or check the roles with the isUserInRole method. Now I need access to a Subject Object of this user. My question is, the subject was created in the login process with principal object? If so, how can I get the Subject ?
If I call LoginContext I will not be doing another unecessary login?

I Also tried this code too inside my servlet:

AccessControlContext acc = AccessController.getContext();
Subject subject= Subject.getSubject(acc);

But subject returns null. But the request still have the Principal Object.

Thanks

1. Re: auth-method Form and Subject access

warrenc6 Jul 12, 2006 8:58 PM (in response to atorres)

You cant really, as it is dicarded in the process, sorry. You get null because in the executing context no subject is set. =)

The authentication does not affect the Java systems level security layer.

The JASS login Realm will have authenticated using the tomcat callbackhandler and returned the subject.getPrincipal to the Form Authenticator which has stuffed it in the request session.

From experience in web servers you need to do something called a access context switch. After looking at the code in tomcat this seems impossible.

If later versions 5.05 or perhaps the Jboss version, you would need to write or find a Filter or Valve which gets the subject out of the session and calls Subject.doAs(session.getAttribute("sum_random_subject_key" , PA{ run { chain.forward

You could write a logincontext which trusts you (the caller) and returns a Subject

Then the code actually runs as who it is logged in as. I have had to write a security context switcher for jetty and tomcat in the past.

I don't know if this is now standard in the later releases. Good luck.
Actions
2. Re: auth-method Form and Subject access

warrenc6 Jul 12, 2006 9:29 PM (in response to atorres)

Just an anfter thought. If you subclass realm and genericprincpal and add a principal.getSubject() method then return the origional subject. Then you can get it from ((MYPrincipal)request.getPrincipal()).getSubject()

This is what jboss appear to have done. so if you happen to have authenticated an instanceof JBossGenericPrincipal you can call getSubject
Actions
3. Re: auth-method Form and Subject access

atorres Jul 12, 2006 10:49 PM (in response to atorres)

The Principal returned by the request is a SimplePrincipal, it doesn't have the getSubject method :(

I discovered that the subject is in the JNDI tree:
ctx.lookup("java:/comp/env/security/subject");

another interesting thing is that if I create the subject myself by using the LoginContext , no subject is placed in the jndi context.
I'm not very confident with the jndi solution yet, but it looks like it works. I will take a look in the valves of tomcat too waren!

Thanks
Actions
4. Re: auth-method Form and Subject access

j2ee_junkie Jul 13, 2006 8:31 AM (in response to atorres)

atorres,

Warren6 is just plain silly. There are at least two ways to get the Authenticated Subject. I think all of them are JBoss dependant; not sure if this is a problem for you. However...

1.) the way you have done it is a great way using JNDI

2.) tomcat service has an SubjectAttributeName option that will store the authenticated subject in request scope.

Enjoy, cgriffith
Actions

Go to original post