[jira] Assigned: (JS2-238) Subject object is abandoned after the JAAS authentication

Tue, 16 Sep 2008 14:14:10 -0700 

     [ 
https://issues.apache.org/jira/browse/JS2-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ate Douma reassigned JS2-238:
-----------------------------

    Assignee: Ate Douma

> Subject object is abandoned after the JAAS authentication
> ---------------------------------------------------------
>
>                 Key: JS2-238
>                 URL: https://issues.apache.org/jira/browse/JS2-238
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security, SSO
>    Affects Versions: 2.0-M3
>         Environment: JetSpeed-2.0-M3-dev, JDK1.4.2_07, Windows XP SP2
>            Reporter: Jian Liao
>            Assignee: Ate Douma
>            Priority: Minor
>
> I want to add a customized JAAS LoginModule to implement single sign-on. So I 
> found the JAAS configuration file, login.conf, change it like this:
> Jetspeed {
>    org.apache.jetspeed.security.impl.DefaultLoginModule required debug=true;
>    com.xxx.xxx.LoginModelImpl optional debug=true;
> };
> I debug my LoginModuleImpl, everything is ok, I add my principal object and a 
> credential object to the Subject object. But when I want to retrieve them 
> back in the portlet, I just found to principal and credential created by 
> DefaultLoginModule.
> Mine disappeared.
> So I look through all the source code of J2. I found that the Subject object 
> created by LoginContext is abandoned after the successfully login. The first 
> request after the login will new a Subject object in the SecurityValve, but 
> this subject object is not created by LoginContext, but UserManager. Then put 
> it into session. That is the reason I lost all my own principal and 
> credential.
> I think that is not a good idea to create a new subject object after the 
> login. It make JAAS authentication meaningless. Why don't we just put the 
> subject object created by LoginContext into session with the attribute 
> "org.apache.jetspeed.security.subject", right after the login. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to