Propagation of Subject with JAAS and SecurityManager enabled

Fri, 24 Feb 2017 10:52:13 -0800 

Hi,

I am playing around with the following things:
 - X.509 authentication
- Security Manager enabled
- Custom JAAS login module via JAASRealm

My custom JAAS login module properly propagates a javax.security.auth.Subject 
instance at commit() back. My aim is to use this javax.security.auth.Subject as 
a basis for authorization checks - expect 
org.apache.catalina.security.SecurityUtil to take this over.
Curiously, by the time it comes to 
org.apache.catalina.security.SecurityUtil.execute(...) applying 
Subject.doAsPrivileged, it is done with another javax.security.auth.Subject 
instance.

Having looked a bit into it what is happening, I see the followings
- org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to 
be present in the session object with key Globals.SUBJECT_ATTR 
("javax.security.auth.subject").
- if it is not present, it will create a new blank Subject containing only one 
Principal, which is extracted from the request's 
org.apache.catalina.connector.Request object (and store it in the session 
afterwards under Globals.SUBJECT_ATTR)
- org.apache.catalina.connector.Request's setUserPrincipal(Principal 
principal) sets the session object with key Globals.SUBJECT_ATTR to a newly 
initialized javax.security.auth.Subject with a single Principal. 

Summary: to me it seems that the mechanism currently used to propagate the 
Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ 
creates a new empty Subject and adds a single user principal into it.

Questions:
- do I miss something about Subject propagation?
If not:
- is this intentionally planned like this?
- would it not make sense to allow Subjects to be propagated to SecurityUtil 
1:1 from JAAS Login modules to be used as the Subject for privileged execution?

Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been 
changed by 7.0.75 - most recent version checked. 

Thank you for any help upfront!

Regards,
Gabor
 
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to