[ http://jira.jboss.com/jira/browse/JBAS-648?page=history ]
Scott M Stark closed JBAS-648:
------------------------------
Resolution: Won't Fix
> Form-based Authentication drops Subject
> ---------------------------------------
>
> Key: JBAS-648
> URL: http://jira.jboss.com/jira/browse/JBAS-648
> Project: JBoss Application Server
> Type: Bug
> Components: Web (Tomcat) service
> Versions: JBossAS-3.2.6 Final
> Reporter: SourceForge User
> Assignee: Scott M Stark
>
>
> SourceForge Submitter: jhouse .
> (JBoss 3.2.1 and Jboss-Jetty 3.2.2)
> I've come accross an issue with the JBoss-Jetty
> integration.
> I've got Form-based authentication turned on. Have a
> JBoss security realm defined with a
> "DatabaseServerLoginModule" as the login module.
> Almost everything works fine: Authentication happens,
> and the request is able to return the userPrincipal and
> do isUserInRole() checks perfectly.
> The problem lies in that the Subject (although it was
> placed in the request by the login module -- which I
> can verify in the logs) is lost from the Request as
> isAuthenticated() is called on the principal. -- so by
> time I try to retrieve the Subject from the request
> (with request.getAttribute("j_subject")) it is missing.
> I've had the help of the Jetty folks in trying to track
> down what the issue is, and finally got the following
> response from Jan Bartel:
> ==============================
> Are you using FORM based authentication? If so, I think
> I know what is happening. With FORM based
> authentication, the realm's authenticate() method is
> only called at login time, subsequent requests will
> cause isAuthenticated() on the UserPrincipal set in the
> request to be called instead.
> Unfortunately, the isAuthenticated() method on the
> UserPrincipal on the JBoss/Jetty integration doesn't
> set the Subject back into the request as it should. You
> should raise a bug with the JBoss guys, but since
> they've recently removed everyone here at MortBay's CVS
> write access, getting a fix into the JBoss code might
> prove difficult :-(
> As a work around, you could try getting the subject
> from the security manager. Try something like:
> org.jboss.security.SubjectSecurityManager mgr =
> (SubjectSecurityManager)ctx.lookup("java:comp/env/security/securityMgr");
> Subject subject = mgr.getActiveSubject();
> Jan
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-Development mailing list
JBoss-Development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-development
