How does the user principal get set on the servlet container session?

2024-01-30 Thread Ryan Esch 
>From what I understand, the container knows if a user is authenticated by 
>using the session id passed to it and then looking up the user principal. If 
>this is non-null, the user is authenticated. I am using web.xml with security 
>constraints and UsersRoleLoginModule defined in jaas.conf which is working 
>fine. I want to add an additional method of login.
How do I set the principal on the session in my custom login module? I have 
tried a number of things, including:
HttpSession session = request.getSession();

// Retrieve or create the Subject
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
subject = new Subject();
session.setAttribute("javax.security.auth.subject", subject);
}
subject.getPrincipals().size());

Principal customPrincipal = new CustomPrincipal("Random Username");
subject.getPrincipals().add(customPrincipal);All my calls to 
request.getUserPrincipal() are null so of course my custom login 
fails.Alternatively/additionally, can I configure the container to also check 
for an access token for authentication?
Thank you for any input or advice. I'd be happy to share additional details.Ryan

Getting provider/properties from jaspic-providers.xml to my ServerAuthModule

2024-02-08 Thread Ryan Esch 
I'm using Tomcat 9. I have a provider in jaspic-providers.xml:
                I am not sure how to get these properties to my 
ServerAuthModule. I have a ServletContextListener and can see that the 
jaspic-providers.xml file is being processed if I call:
AuthConfigFactory factory = AuthConfigFactory.getFactory();It looks like I need 
to get the properties from the factory before calling:
factory.registerConfigProvider(        new SimpleAuthConfigProvider(props, 
factory),        "HttpServlet", null,        "test");I can't figure out how to 
get the properties from the provider in the xml. If I hardcode the properties 
before passing them into registerConfigProvider, the ServerAuthModule functions 
correctly.
Thanks!

Tomcat 9: Java 11 to Java 17

2024-06-10 Thread Ryan Esch 
Hi folks,I have a webapp running Apache Tomcat 9.0.67 with Java 11, using 
JASPIC for authentication. For reference, using these:
            org.apache.tomcat            
tomcat-catalina            9.0.85
            org.apache.tomcat            
catalina            6.0.53
This works.I need to get this running with Java 17. I've updated my javax 
classes to jakarta and my JASPIC dependencies to:
            org.apache.tomcat            
tomcat-jaspic-api            
11.0.0-M5
            org.apache.tomcat            
tomcat-catalina            11.0.0-M5
These are built with Java 17. My webapp compiles and builds. But at runtime, I 
get errors like this:
java.lang.VerifyError: Bad type on operand stackException Details:  Reason:    
Type 'org/apache/catalina/authenticator/jaspic/AuthConfigFactoryImpl' (current 
frame, stack[4]) is not assignable to 
'jakarta/security/auth/message/config/AuthConfigFactory'
Specifically, this does not cause any issues:          AuthConfigFactory 
factory = new AuthConfigFactoryImpl();
However, if I call any method on this factory, I see the above Error.I can't 
seem to figure out the cause. I don't see any old javax AuthConfig classes in 
the dependencies.Anyone familiar with this?
Ryan