A JAAS login is not enough. You also need to call subject.doAs(handler);
Inside this call the AccessControlContext will then contain your subject.
For web there should be a better way to establish a JAAS context. Maybe
you can make pax web or jetty check the authentication and
already establish a JAAS context for you. I forwarded to Achim. He might
know if that works.
Christian
On 18.05.2015 17:37, kuvalda wrote:
One thing to clarify the problem:
I'm trying to use authentication and authorization in whiteboard servlet.
There is such a code in doGet for debug:
LoginContext lc = new LoginContext("umrp-realm", callbackHandler);
lc.login();
System.out.println(lc.getSubject().getPrincipals());
Subject subject = Subject.getSubject(AccessController.getContext());
System.out.println(subject == null);
I have a subject in loginContext after login, but subject in
AccessControlContext is null.
So calling the secured methods fails with
/java.security.AccessControlException No JAAS login present/.
Am I doing something wrong?
kuvalda wrote
Hi, Christian!
I have questions about getting the authentication result in a place
different of where we do authentication.
There is such description of Subject.getSubject method In Javadoc:
*
Get the Subject associated with the provided AccessControlContext.
The AccessControlContext may contain many Subjects (from nested doAs
calls). In this situation, the most recent Subject associated with the
AccessControlContext is returned.
*
So we can get that:
1. there is no any Subject in AccessControlContext, if we don't call any
secured method. It means, that just after a simple LoginContext.login()
we can't get a Subject from AccessControlContext.
2. If other Subject calls some secured method in the same thread, it
replaces the current Subject in AccessControlContext, and the result of
Subject.getSubject() will be different.
Thanks!
Pavel
cschneider wrote
There is one more thing you should look into. Quite often you will need
the authentication result in a place different from the place where you
do the authentication.
Passing the subject around is not very effective.
Luckily there is a quite unknown way in JAAS to do this:
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
This allows to get the subject at any place in your code.
-----
Pavel
--
View this message in context:
http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040447.html
Sent from the Karaf - User mailing list archive at Nabble.com.
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
