Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id EB934200C21 for ; Mon, 20 Feb 2017 14:57:04 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id EA172160B73; Mon, 20 Feb 2017 13:57:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 40E8C160B62 for ; Mon, 20 Feb 2017 14:57:04 +0100 (CET) Received: (qmail 12225 invoked by uid 500); 20 Feb 2017 13:57:02 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 12214 invoked by uid 99); 20 Feb 2017 13:57:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2017 13:57:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1061E1A7B8A for ; Mon, 20 Feb 2017 13:57:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.046 X-Spam-Level: X-Spam-Status: No, score=-1.046 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.999, SPF_NEUTRAL=0.652, UNPARSEABLE_RELAY=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id WKeR6dvZ-hZC for ; Mon, 20 Feb 2017 13:56:59 +0000 (UTC) Received: from fmxout02.freemail.hu (fmxout02.freemail.hu [195.228.245.72]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 584535F4A8 for ; Mon, 20 Feb 2017 13:56:59 +0000 (UTC) Received: from fmxmldata05.freemail.hu (fmlb00.freemail.hu [195.228.245.211]) by fmxout02.freemail.hu (Postfix) with ESMTP id 12D683600 for ; Mon, 20 Feb 2017 14:56:47 +0100 (CET) Received: from webmail by smtp gw id v1KDukBl060044; Mon, 20 Feb 2017 14:56:46 +0100 (CET) Date: Mon, 20 Feb 2017 14:56:46 +0100 (CET) From: kommersz Subject: Propagation of Subject with JAAS and SecurityManager enabled To: users@tomcat.apache.org Message-ID: X-Originating-IP: [155.56.68.218] X-HTTP-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 X-Original-User: kommersz MIME-Version: 1.0 Content-Type: multipart/alternative; BOUNDARY="2299349126-1804289383-1487599006=:60043" X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelhedruddvgdehiecutefuodetggdotefrucfrrhhofhhilhgvmecuhfftgffgofetkffnpdcuqfgfvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffuvffkihggtgesrgdtreertddtjeenucfhrhhomhepkhhomhhmvghrshiiuceokhhomhhmvghrshiisehfrhgvvghmrghilhdrhhhuqeenucfkphepudelhedrvddvkedrvdeghedrvdduuddpudehhedrheeirdeikedrvddukeenucfrrghrrghmpehhvghlohepfhhmgihmlhgurghtrgdthedrfhhrvggvmhgrihhlrdhhuhdpihhnvghtpeduleehrddvvdekrddvgeehrddvuddupdhmrghilhhfrhhomhepkhhomhhmvghrshiisehfrhgvvghmrghilhdrhhhupdhrtghpthhtohepuhhsvghrshesthhomhgtrghtrdgrphgrtghhvgdrohhrgh X-FM-Milter: Processed archived-at: Mon, 20 Feb 2017 13:57:05 -0000 --2299349126-1804289383-1487599006=:60043 Content-Type: text/plain; CHARSET=UTF-8 Hi, I am playing around with the following things:- X.509 authentication- Security Manager enabled- Custom JAAS login module via JAASRealm My custom JAAS login module properly propagates a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject as a basis for authorization checks – expect org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute(…) applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance. Having looked a bit into it what is happening, I see the followings:- org.apache.catalina.security.SecurityUtil.execute(…) looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject").- if it is not present, it will create a new blank Subject containing only one Principal, which is extracted from the request’s org.apache.catalina. connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR)- org.apache.catalina.connector.Request’s setUserPrincipal(Principal principal) sets the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a single Principal. Summary: to me it seems that the mechanism currently used to propagate the Subject to org.apache.catalina.security.SecurityUtil.execute(…) _always_ creates a new empty Subject and adds a single user principal into it. Questions:- do I miss something about Subject propagationIf not:- is this intentionally planned like this?- would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed by 7.0.75 – most recent version checked. Thank you for any help upfront! Regards,Gabor --2299349126-1804289383-1487599006=:60043--