4 Replies Latest reply on Jul 13, 2006 8:31 AM by chris griffith

    auth-method Form and Subject access

    Alexandre Torres Newbie

      Hi.
      I'm using auth-method Form for authentication on my web application. This worked fine , I can verify my current user by
      request.getUserPrincipal()
      or check the roles with the isUserInRole method. Now I need access to a Subject Object of this user. My question is, the subject was created in the login process with principal object? If so, how can I get the Subject ?
      If I call LoginContext I will not be doing another unecessary login?

      I Also tried this code too inside my servlet:

      AccessControlContext acc = AccessController.getContext();
      Subject subject= Subject.getSubject(acc);

      But subject returns null. But the request still have the Principal Object.

      Thanks

        • 1. Re: auth-method Form and Subject access
          warren crossing Newbie

          You cant really, as it is dicarded in the process, sorry. You get null because in the executing context no subject is set. =)

          The authentication does not affect the Java systems level security layer.

          The JASS login Realm will have authenticated using the tomcat callbackhandler and returned the subject.getPrincipal to the Form Authenticator which has stuffed it in the request session.

          From experience in web servers you need to do something called a access context switch. After looking at the code in tomcat this seems impossible.

          If later versions 5.05 or perhaps the Jboss version, you would need to write or find a Filter or Valve which gets the subject out of the session and calls Subject.doAs(session.getAttribute("sum_random_subject_key" , PA{ run { chain.forward

          You could write a logincontext which trusts you (the caller) and returns a Subject

          Then the code actually runs as who it is logged in as. I have had to write a security context switcher for jetty and tomcat in the past.

          I don't know if this is now standard in the later releases. Good luck.

          • 2. Re: auth-method Form and Subject access
            warren crossing Newbie

            Just an anfter thought. If you subclass realm and genericprincpal and add a principal.getSubject() method then return the origional subject. Then you can get it from ((MYPrincipal)request.getPrincipal()).getSubject()

            This is what jboss appear to have done. so if you happen to have authenticated an instanceof JBossGenericPrincipal you can call getSubject

            • 3. Re: auth-method Form and Subject access
              Alexandre Torres Newbie

              The Principal returned by the request is a SimplePrincipal, it doesn't have the getSubject method :(

              I discovered that the subject is in the JNDI tree:
              ctx.lookup("java:/comp/env/security/subject");

              another interesting thing is that if I create the subject myself by using the LoginContext , no subject is placed in the jndi context.
              I'm not very confident with the jndi solution yet, but it looks like it works. I will take a look in the valves of tomcat too waren!

              Thanks

              • 4. Re: auth-method Form and Subject access
                chris griffith Expert

                atorres,

                Warren6 is just plain silly. There are at least two ways to get the Authenticated Subject. I think all of them are JBoss dependant; not sure if this is a problem for you. However...

                1.) the way you have done it is a great way using JNDI

                2.) tomcat service has an SubjectAttributeName option that will store the authenticated subject in request scope.

                Enjoy, cgriffith