DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39433>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39433 Summary: JAAS LoginModule handling ignores Principals and Credentials added to the Subject Product: Tomcat 5 Version: 5.5.15 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] According to the JAAS API documentation, LoginModules are allowed to add any number of Principal and Credential objects to the Subject passed to the LoginModule. After all login modules commit sucessfully, all the added information is available to the application. via: AccessControlContext acc = AccessController.getContext(); Subject sub = Subject.getSubject(acc); If JAAS authentication is enabled in Tomcat (using JAAS Realm), only the "user" Principal is added to the Subject, i.e. further Principals that for instance describe Groups or Roles and also other security credentials are not available to the application. The basic problem seems to be that the Subject passed to the LoginModule is Catalina internally only of temporary use. It is at least not the same object as being later added to the session. The only work around currently is to add all additional Principal and Subject information to the "user" Principal returned to JAASRealm. This can of course only be done if one writes its own LoginModule. Login modules provided by Java (such as NTLoginModule) can not fully be used, since most of the login information will not be available. Furthermore, the Subject and its credentials are often also used to keep Security related information between two containers such as a webcontainer and an EJB container. A typical place to keep this information is the Subject (and not the session). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
