Hi, I am playing around with the following things:- X.509 authentication-
Security Manager enabled- Custom JAAS login module via JAASRealm My custom JAAS
login module properly propagates a javax.security.auth.Subject instance at
commit() back. My aim is to use this javax.security.auth.Subject as a basis for
authorization checks – expect org.apache.catalina.security.SecurityUtil
to take this over. Curiously, by the time it comes to
org.apache.catalina.security.SecurityUtil.execute(…) applying
Subject.doAsPrivileged, it is done with another javax.security.auth.Subject
instance. Having looked a bit into it what is happening, I see the followings:-
org.apache.catalina.security.SecurityUtil.execute(…) looks for a subject
to be present in the session object with key Globals.SUBJECT_ATTR
("javax.security.auth.subject").- if it is not present, it will create a new
blank Subject containing only one Principal, which is extracted from the
request’s org.apache.catalina.
connector.Request object (and store it in the session afterwards under
Globals.SUBJECT_ATTR)- org.apache.catalina.connector.Request’s
setUserPrincipal(Principal principal) sets the session object with key
Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a
single Principal. Summary: to me it seems that the mechanism currently used to
propagate the Subject to
org.apache.catalina.security.SecurityUtil.execute(…) _always_ creates a
new empty Subject and adds a single user principal into it. Questions:- do I
miss something about Subject propagationIf not:- is this intentionally planned
like this?- would it not make sense to allow Subjects to be propagated to
SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for
privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces
of code has not been changed by 7.0.75 – most recent version checked.
Thank you for any help upfront! Regards,Gabor
