[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Propagation of Subject with JAAS and SecurityManager enabled
From: kommersz <kommersz () freemail ! hu>
Date: 2017-02-24 18:51:48
Message-ID: freemail.20170224195148.90198.1 () fmxmldata09 ! freemail ! hu
[Download RAW message or body]
Hi,
I am playing around with the following things:
- X.509 authentication
- Security Manager enabled
- Custom JAAS login module via JAASRealm
My custom JAAS login module properly propagates a javax.security.auth.Subject \
instance at commit() back. My aim is to use this javax.security.auth.Subject as a \
basis for authorization checks - expect org.apache.catalina.security.SecurityUtil to \
take this over. Curiously, by the time it comes to \
org.apache.catalina.security.SecurityUtil.execute(...) applying \
Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance.
Having looked a bit into it what is happening, I see the followings
- org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to be \
present in the session object with key Globals.SUBJECT_ATTR \
("javax.security.auth.subject").
- if it is not present, it will create a new blank Subject containing only one \
Principal, which is extracted from the request's \
org.apache.catalina.connector.Request object (and store it in the session afterwards \
under Globals.SUBJECT_ATTR)
- org.apache.catalina.connector.Request's setUserPrincipal(Principal principal) \
sets the session object with key Globals.SUBJECT_ATTR to a newly initialized \
javax.security.auth.Subject with a single Principal.
Summary: to me it seems that the mechanism currently used to propagate the Subject to \
org.apache.catalina.security.SecurityUtil.execute(...) _always_ creates a new empty \
Subject and adds a single user principal into it.
Questions:
- do I miss something about Subject propagation?
If not:
- is this intentionally planned like this?
- would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from \
JAAS Login modules to be used as the Subject for privileged execution?
Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed \
by 7.0.75 - most recent version checked.
Thank you for any help upfront!
Regards,
Gabor
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic