I resolved this. The problem was in SecurityUtil.java execute method. fixed code in execute method: ... if (subject == null){ subject = new Subject();
//I added following two lines if (principal != null) subject.getPrincipals().add(principal); session.setAttribute(Globals.SUBJECT_ATTR, subject); } ... -----Original Message----- From: Janne Väänänen Sent: 17. toukokuuta 2004 12:12 To: [EMAIL PROTECTED] Subject: javax.security.auth.subject disappears Filter detected spam Hi, I'm running tomcat 5 with -security option and I'm using JAAS login module. In the jsp pages in first request after I have identified my self Subject is null. When I hit refresh (second request) Subject is correct subject with principals etc. But after that in all requests Subject is empty, no principals etc. I use follwing code to get Subject: AccessControlContext acc = AccessController.getContext(); Subject sub = Subject.getSubject(acc); I checked tomcat src code that it uses javax.security.auth.subject attribute to store Subject in session. CoyoteRequest.java public void setUserPrincipal(Principal principal) { if (System.getSecurityManager() != null){ HttpSession session = getSession(false); if ( (subject != null) && (!subject.getPrincipals().contains(principal)) ){ subject.getPrincipals().add(principal); } else if (session != null && session.getAttribute(Globals.SUBJECT_ATTR) == null) { subject = new Subject(); subject.getPrincipals().add(principal); } if (session != null){ session.setAttribute(Globals.SUBJECT_ATTR, subject); } } this.userPrincipal = principal; } I guess that session.getAttribute(Globals.SUBJECT_ATTR) is somehow null after second request.. Any ideas what is causing this and how can I fix it? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]