We have an implementation of a J2EE servlet filter that we use in Tomcat that
restricts connections based on either a list of trusted source IP addresses,
or a secret header value, or a combination of both.
This servlet filter is currently used with perimeter authentication /
authorization occurring in an Apache proxy that is enabled with a 3rd Party
agent. When the agent allows the HTTP request through (to Tomcat or a J2EE
application server), it adds HTTP request headers. One header is the
authenticated user and the other is a list of comma-separated groups that
the
authenticated user belongs to.
Our goal is to add code to this J2EE servlet filter to use these HTTP
request
headers to create a JAAS subject from these headers so that applications
using
the filter can then make use of the JAAS subject programatically or via
declarative security (e.g., via <security-constraint>, annotations, etc.)
Note
that we ideally would like to do all of this without implementing / defining
a
JAAS LoginModule and CallbackHandler if at all possible. (The perimeter
authentication ensures that the user has already properly authenticated; the
trusted source IP and/or secret header ensures that the request came via the
Apache proxy where the 3rd Party agent is enabled.)
We have implemented similar code with Oracle's WebLogic Server using code
something like this (most of this is WebLogic specific code):
public void doSetJAASSubject(final Subject subject,
HttpServletRequest request) throws Exception
{
if (admin == null) {
AuthenticatedSubject authAdmin = (AuthenticatedSubject)
AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
admin = authAdmin.getSubject();
}
weblogic.security.Security.runAs(admin,
new PrivilegedAction()
{
public Object run()
{
PrincipalValidatorImpl validator = new PrincipalValidatorImpl();
Iterator it = subject.getPrincipals().iterator();
while (it.hasNext()) {
Principal principal = (Principal)it.next();
validator.sign(principal);
}
return null;
}
});
ServletAuthentication.runAs(subject, request);
}
So, the questions are; is it possible to do this in Tomcat? And if so, how
do we do it so that the JAAS subject is available programatically, for use
with <security-constraint>, etc. without requiring the development teams
lots
of additional configuration or any additional implementation.
Thank you,
--
View this message in context:
http://www.nabble.com/How-to-programmatically-set-the-JAAS-Subject-in-Tomcat-5.5-tp24698094p24698094.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
