-
1. Re: auth-method Form and Subject access
warrenc6 Jul 12, 2006 8:58 PM (in response to atorres)You cant really, as it is dicarded in the process, sorry. You get null because in the executing context no subject is set. =)
The authentication does not affect the Java systems level security layer.
The JASS login Realm will have authenticated using the tomcat callbackhandler and returned the subject.getPrincipal to the Form Authenticator which has stuffed it in the request session.
From experience in web servers you need to do something called a access context switch. After looking at the code in tomcat this seems impossible.
If later versions 5.05 or perhaps the Jboss version, you would need to write or find a Filter or Valve which gets the subject out of the session and calls Subject.doAs(session.getAttribute("sum_random_subject_key" , PA{ run { chain.forward
You could write a logincontext which trusts you (the caller) and returns a Subject
Then the code actually runs as who it is logged in as. I have had to write a security context switcher for jetty and tomcat in the past.
I don't know if this is now standard in the later releases. Good luck. -
2. Re: auth-method Form and Subject access
warrenc6 Jul 12, 2006 9:29 PM (in response to atorres)Just an anfter thought. If you subclass realm and genericprincpal and add a principal.getSubject() method then return the origional subject. Then you can get it from ((MYPrincipal)request.getPrincipal()).getSubject()
This is what jboss appear to have done. so if you happen to have authenticated an instanceof JBossGenericPrincipal you can call getSubject -
3. Re: auth-method Form and Subject access
atorres Jul 12, 2006 10:49 PM (in response to atorres)The Principal returned by the request is a SimplePrincipal, it doesn't have the getSubject method :(
I discovered that the subject is in the JNDI tree:
ctx.lookup("java:/comp/env/security/subject");
another interesting thing is that if I create the subject myself by using the LoginContext , no subject is placed in the jndi context.
I'm not very confident with the jndi solution yet, but it looks like it works. I will take a look in the valves of tomcat too waren!
Thanks -
4. Re: auth-method Form and Subject access
j2ee_junkie Jul 13, 2006 8:31 AM (in response to atorres)atorres,
Warren6 is just plain silly. There are at least two ways to get the Authenticated Subject. I think all of them are JBoss dependant; not sure if this is a problem for you. However...
1.) the way you have done it is a great way using JNDI
2.) tomcat service has an SubjectAttributeName option that will store the authenticated subject in request scope.
Enjoy, cgriffith