Hi, I am playing around with the following things: - X.509 authentication - Security Manager enabled - Custom JAAS login module via JAASRealm
My custom JAAS login module properly propagates a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject as a basis for authorization checks - expect org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute(...) applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance. Having looked a bit into it what is happening, I see the followings - org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject"). - if it is not present, it will create a new blank Subject containing only one Principal, which is extracted from the request's org.apache.catalina.connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR) - org.apache.catalina.connector.Request's setUserPrincipal(Principal principal) sets the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a single Principal. Summary: to me it seems that the mechanism currently used to propagate the Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ creates a new empty Subject and adds a single user principal into it. Questions: - do I miss something about Subject propagation? If not: - is this intentionally planned like this? - would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed by 7.0.75 - most recent version checked. Thank you for any help upfront! Regards, Gabor --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org