portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Updated: (JS2-238) Subject object is abandoned after the JAAS authentication
Date Tue, 24 May 2005 22:35:55 GMT
     [ http://issues.apache.org/jira/browse/JS2-238?page=all ]

Ate Douma updated JS2-238:

    Priority: Minor  (was: Critical)

Although I recognize this problem, I can't find it critical.

There is *no* JAAS API which provides access to a logged on Subject other than from the LoginModule

Tomcat specifically doesn't provide access to it either so we would have to extend the Tomcat
JAASRealm for it.
And other App Servers have again other solutions.

Doing the LoginContext.login() once more doesn't strike me as a sound solution either.

Anyway, until someone comes up with a sound solution/patch which will work generically and/or
is easy to extend for different App Servers, I'm gonna downgrade this issue to Minor.

> Subject object is abandoned after the JAAS authentication
> ---------------------------------------------------------
>          Key: JS2-238
>          URL: http://issues.apache.org/jira/browse/JS2-238
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security, SSO
>     Versions: 2.0-M3
>  Environment: JetSpeed-2.0-M3-dev, JDK1.4.2_07, Windows XP SP2
>     Reporter: JamesLiao
>     Priority: Minor

> I want to add a customized JAAS LoginModule to implement single sign-on. So I found the
JAAS configuration file, login.conf, change it like this:
> Jetspeed {
>    org.apache.jetspeed.security.impl.DefaultLoginModule required debug=true;
>    com.xxx.xxx.LoginModelImpl optional debug=true;
> };
> I debug my LoginModuleImpl, everything is ok, I add my principal object and a credential
object to the Subject object. But when I want to retrieve them back in the portlet, I just
found to principal and credential created by DefaultLoginModule.
> Mine disappeared.
> So I look through all the source code of J2. I found that the Subject object created
by LoginContext is abandoned after the successfully login. The first request after the login
will new a Subject object in the SecurityValve, but this subject object is not created by
LoginContext, but UserManager. Then put it into session. That is the reason I lost all my
own principal and credential.
> I think that is not a good idea to create a new subject object after the login. It make
JAAS authentication meaningless. Why don't we just put the subject object created by LoginContext
into session with the attribute "org.apache.jetspeed.security.subject", right after the login.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message