[jboss-user] [Security & JAAS/JBoss] - Re: auth-method Form and Subject access

[warrenc6]

You cant really, as it is dicarded in the process, sorry. You get null because in the executing context no subject is set. =)  

The authentication does not affect the Java systems level security layer.

The JASS login Realm will have authenticated using the tomcat callbackhandler and returned the subject.getPrincipal to the  Form Authenticator which has stuffed it in the request session.  

>From experience in web servers you need to do something called a access context switch.  After looking at the code in tomcat this seems impossible. 

If later versions 5.05 or perhaps the Jboss version, you would need to write or find a Filter or Valve which gets the subject out of the session and calls Subject.doAs(session.getAttribute("sum_random_subject_key" , PA{ run { chain.forward

You could write a logincontext which trusts you (the caller) and returns a Subject

Then the code actually runs as who it is logged in as.  I have had to write a security context switcher for jetty and tomcat in the past.  

I don't know if this is now standard in the later releases. Good luck.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957591#3957591

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957591