Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9B9A3200C31 for ; Wed, 8 Mar 2017 12:27:57 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9A3EC160B83; Wed, 8 Mar 2017 11:27:57 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id BCAEC160B75 for ; Wed, 8 Mar 2017 12:27:56 +0100 (CET) Received: (qmail 20525 invoked by uid 500); 8 Mar 2017 11:27:55 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 20514 invoked by uid 99); 8 Mar 2017 11:27:55 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Mar 2017 11:27:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B2791C1A18 for ; Wed, 8 Mar 2017 11:27:54 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.048 X-Spam-Level: X-Spam-Status: No, score=-0.048 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.652, UNPARSEABLE_RELAY=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id HlBsaN3N99AE for ; Wed, 8 Mar 2017 11:27:51 +0000 (UTC) Received: from fmxout02.freemail.hu (fmxout02.freemail.hu [195.228.245.72]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 154D05F64B for ; Wed, 8 Mar 2017 11:27:51 +0000 (UTC) Received: from fmxmldata07.freemail.hu (fmlb00.freemail.hu [195.228.245.211]) by fmxout02.freemail.hu (Postfix) with ESMTP id 414533FC8 for ; Wed, 8 Mar 2017 12:27:44 +0100 (CET) Received: from webmail by smtp gw id v28BRiWR081695; Wed, 8 Mar 2017 12:27:44 +0100 (CET) Date: Wed, 8 Mar 2017 12:27:44 +0100 (CET) From: kommersz Subject: Re: Propagation of Subject with JAAS and SecurityManager enabled To: Tomcat Users List In-Reply-To: Message-ID: X-Originating-IP: [195.228.139.233] X-HTTP-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 X-Original-User: kommersz MIME-Version: 1.0 Content-Type: text/plain; CHARSET=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelhedrgeeggddvhecutefuodetggdotefrucfrrhhofhhilhgvmecuhfftgffgofetkffnpdcuqfgfvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhuffvjgfkihggtgfgsehtsfertddttdejnecuhfhrohhmpehkohhmmhgvrhhsiicuoehkohhmmhgvrhhsiiesfhhrvggvmhgrihhlrdhhuheqnecukfhppeduleehrddvvdekrddvgeehrddvuddupdduleehrddvvdekrddufeelrddvfeefnecurfgrrhgrmhephhgvlhhopehfmhigmhhluggrthgrtdejrdhfrhgvvghmrghilhdrhhhupdhinhgvthepudelhedrvddvkedrvdeghedrvdduuddpmhgrihhlfhhrohhmpehkohhmmhgvrhhsiiesfhhrvggvmhgrihhlrdhhuhdprhgtphhtthhopehushgvrhhssehtohhmtggrthdrrghprggthhgvrdhorhhg X-FM-Milter: Processed archived-at: Wed, 08 Mar 2017 11:27:57 -0000 Well, if there are no hints, here is my view.=0A=0AI checked the code for l= ocations where org.apache.catalina.Globals.SUBJECT_ATTR (or the String "jav= ax.security.auth.subject") is used. There are seemingly two locations:=0A- = org.apache.catalina.connector.Request.setUserPrincipal(...)=0A- org.apache.= catalina.security.SecurityUtil.execute(...)=0Athe way they are using the SU= BJECT_ATTR key to put a Subject in the Session practically excludes the pos= sibility of using the Subject from the JAAS login module.=0A=0ABeyond that,= org.apache.catalina.realm.JAASRealm.authenticate(String username, Callback= Handler callbackHandler) does effectively throw away the Subject gained aft= er having extracted the user and role for creating a GenericPrincipal - so = even a workaround with passing the subject between the JAAS LoginModule and= a Valve in ThreadContext to smuggle it into the Session under SUBJECT_ATTR= would not work.=0A=0AI am new here, and do not know how things work, but b= eyond a few questions I would also make a proposal for a fix, and would be = ready to deliver it if I get it approved :)=0ASo:=0A- Is this intentional n= ot to allow a Subject from a JAAS LoginModule to be used when switching to = privileged mode using Subject.doAsPrivileged at a later point in the code? = (I would doubt, but I may not know) =0A- What is the purpose of putting the= subject into the Session? As I understand (though haven't extensively stud= ied), in JAAS a LoginModule has the responsibility to provide a Subject per= request - so it could decide on its own if it wants to cache or not (thoug= h it does not have access to the Session)=0A- would it be a good idea to re= move the subject field from org.apache.catalina.connector.Request and move = it into GenericPrincipal as a "reference to parent"? As the principal is re= liably passed around, it could be used.=0A=0AThanks,=0AGabor=0A=0Akommersz = =C3=ADrta:=0A>Hi,=0A>=0A>I am playing around with th= e following things:=0A> - X.509 authentication=0A>- Security Manager enable= d=0A>- Custom JAAS login module via JAASRealm=0A>=0A>My custom JAAS login m= odule properly propagates a javax.security.auth.Subject instance at commit(= ) back. My aim is to use this javax.security.auth.Subject as a basis for au= thorization checks - expect org.apache.catalina.security.SecurityUtil to ta= ke this over.=0A>Curiously, by the time it comes to org.apache.catalina.sec= urity.SecurityUtil.execute(...) applying Subject.doAsPrivileged, it is done= with another javax.security.auth.Subject instance.=0A>=0A>Having looked a = bit into it what is happening, I see the followings=0A>- org.apache.catalin= a.security.SecurityUtil.execute(...) looks for a subject to be present in t= he session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subje= ct").=0A>- if it is not present, it will create a new blank Subject contain= ing only one Principal, which is extracted from the request's org.apach= e.catalina.connector.Request object (and store it in the session afterwards= under Globals.SUBJECT_ATTR)=0A>- org.apache.catalina.connector.Request'= ;s setUserPrincipal(Principal principal) sets the session object with key G= lobals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with= a single Principal. =0A>=0A>Summary: to me it seems that the mechanism cur= rently used to propagate the Subject to org.apache.catalina.security.Securi= tyUtil.execute(...) _always_ creates a new empty Subject and adds a single = user principal into it.=0A>=0A>Questions:=0A>- do I miss something about Su= bject propagation?=0A>If not:=0A>- is this intentionally planned like this?= =0A>- would it not make sense to allow Subjects to be propagated to Securit= yUtil 1:1 from JAAS Login modules to be used as the Subject for privileged = execution?=0A>=0A>Btw, I am on 7.0.68, but seems that the relevant pieces o= f code has not been changed by 7.0.75 - most recent version checked. =0A>= =0A>Thank you for any help upfront!=0A>=0A>Regards,=0A>Gabor=0A> =0A> =0A>= =0A>---------------------------------------------------------------------= =0A>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org=0A>For addi= tional commands, e-mail: users-help@tomcat.apache.org=0A>=0A>=0A --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org