tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kommersz <komme...@freemail.hu>
Subject Propagation of Subject with JAAS and SecurityManager enabled
Date Mon, 20 Feb 2017 13:56:46 GMT
Hi, I am playing around with the following things:- X.509 authentication- Security Manager
enabled- Custom JAAS login module via JAASRealm My custom JAAS login module properly propagates
a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject
as a basis for authorization checks &ndash; expect org.apache.catalina.security.SecurityUtil
to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute(&hellip;)
applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance.
Having looked a bit into it what is happening, I see the followings:- org.apache.catalina.security.SecurityUtil.execute(&hellip;)
looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject").-
if it is not present, it will create a new blank Subject containing only one Principal, which
is extracted from the request&rsquo;s org.apache.catalina.
 connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR)-
org.apache.catalina.connector.Request&rsquo;s setUserPrincipal(Principal principal) sets
the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject
with a single Principal. Summary: to me it seems that the mechanism currently used to propagate
the Subject to org.apache.catalina.security.SecurityUtil.execute(&hellip;) _always_ creates
a new empty Subject and adds a single user principal into it. Questions:- do I miss something
about Subject propagationIf not:- is this intentionally planned like this?- would it not make
sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be
used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant
pieces of code has not been changed by 7.0.75 &ndash; most recent version checked. Thank
you for any help upfront! Regards,Gabor
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message