tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tbalent <>
Subject How to programmatically set the JAAS Subject in Tomcat 5.5
Date Tue, 28 Jul 2009 13:50:00 GMT

We have an implementation of a J2EE servlet filter that we use in Tomcat that 
restricts connections based on either a list of trusted source IP addresses, 
or a secret header value, or a combination of both.
This servlet filter is currently used with perimeter authentication / 
authorization occurring in an Apache proxy that is enabled with a 3rd Party 
agent. When the agent allows the HTTP request through (to Tomcat or a J2EE 
application server), it adds HTTP request headers. One header is the 
authenticated user and the other is a list of comma-separated groups that
authenticated user belongs to.
Our goal is to add code to this J2EE servlet filter to use these HTTP
headers to create a JAAS subject from these headers so that applications
the filter can then make use of the JAAS subject programatically or via 
declarative security (e.g., via <security-constraint>, annotations, etc.)
that we ideally would like to do all of this without implementing / defining
JAAS LoginModule and CallbackHandler if at all possible. (The perimeter 
authentication ensures that the user has already properly authenticated; the 
trusted source IP and/or secret header ensures that the request came via the 
Apache proxy where the 3rd Party agent is enabled.) 

We have implemented similar code with Oracle's WebLogic Server using code 
something like this (most of this is WebLogic specific code):

 public void doSetJAASSubject(final Subject subject,
           HttpServletRequest request) throws Exception
   if (admin == null) {
     AuthenticatedSubject authAdmin = (AuthenticatedSubject)
     admin = authAdmin.getSubject();
     new PrivilegedAction()
       public Object run()
         PrincipalValidatorImpl validator = new PrincipalValidatorImpl();
         Iterator it = subject.getPrincipals().iterator();
         while (it.hasNext()) {
           Principal principal = (Principal);
         return null;
    ServletAuthentication.runAs(subject, request);

So, the questions are; is it possible to do this in Tomcat? And if so, how
do we do it so that the JAAS subject is available programatically, for use 
with <security-constraint>, etc. without requiring the development teams
of additional configuration or any additional implementation.
Thank you,

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message