JaccAuthorizationRealm always returns false on subsequent requests
------------------------------------------------------------------
Key: JBAS-1592
URL: http://jira.jboss.com/jira/browse/JBAS-1592
Project: JBoss Application Server
Type: Bug
Components: Security, Deployment Service
Versions: JBossAS-4.0.2RC1, JBossAS-4.0.1 SP1
Environment: Windows XP SP2
JDK 1.5.0
Reporter: Stephen Kinser
Priority: Critical
After the initial login, the JaccAuthorizationRealm always returns false
because the PolicyContext handler for the Subject is not yet initialized when
the realm is called. To figure out the root of the problem, an understanding of
the calling order is necessary.
The standard pipeline is composed of the following valves, in this order:
- JaccContextValve
- FormAuthenticator (the authenticator valve in my case)
- SecurityAssociationValve
- CustomPrincipalValve
- StandardContextValve
The SecurityAssociationValve is added to the pipeline after the authenticator
valve due to the ordering of the code in the
TomcatDeployer.performDeployInternal method. The SecurityAssociationValve is
added after the init call to the server. The init call results in the
authenticator valve being added to the pipeline.
When a request is received by an authenticated user, the authenticator valve
obtains control before the SecurityAssociationValve. The authenticator valve
calls the JaccAuthorizationRealm for the authorization check. Part of the
check is as follows:
Subject caller = null;
try
{
caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
}
catch (PolicyContextException e)
{
if( trace )
log.trace("Failed to get subject from PolicyContext", e);
}
if( caller == null ) //*** is always true!
{
if( trace )
log.trace("Denied, no active subject found in PolicyContext");
return false;
}
The realm expects to have an initialized caller (Subject), but the caller is
always null because it wasn't initialized yet since the
SecurityAssociationValve that initializes the caller (Subject) doesn't receive
control until after the authenticator valve is finished.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-Development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-development
