(noticed that my previous post on the same was somewhat garbled - reposting
reformatted) Hi, I am playing around with the following things: - X.509
authentication- Security Manager enabled- Custom JAAS login module via
JAASRealm My custom JAAS login module properly propagates a
javax.security.auth.Subject instance at commit() back. My aim is to use this
javax.security.auth.Subject as a basis for authorization checks - expect
org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the
time it comes to org.apache.catalina.security.SecurityUtil.execute(...)
applying Subject.doAsPrivileged, it is done with another
javax.security.auth.Subject instance. Having looked a bit into it what is
happening, I see the followings:-
org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to
be present in the session object with key Globals.SUBJECT_ATTR
("javax.security.auth.subject").- if it is not present, it will create a new
blank Subject containing only one P
rincipal, which is extracted from the request's
org.apache.catalina.connector.Request object (and store it in the session
afterwards under Globals.SUBJECT_ATTR)-
org.apache.catalina.connector.Request's setUserPrincipal(Principal
principal) sets the session object with key Globals.SUBJECT_ATTR to a newly
initialized javax.security.auth.Subject with a single Principal. Summary: to me
it seems that the mechanism currently used to propagate the Subject to
org.apache.catalina.security.SecurityUtil.execute(...) _always_ creates a new
empty Subject and adds a single user principal into it. Questions:- do I miss
something about Subject propagation?If not:- is this intentionally planned like
this?- would it not make sense to allow Subjects to be propagated to
SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for
privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces
of code has not been changed by 7.0.75 - most recent version checked. Thank you
for any help upfront! Regards,Gabor
