[
https://issues.apache.org/jira/browse/JS2-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ate Douma updated JS2-238:
--------------------------
Affects Version/s: (was: 2.0-M3)
2.2
Fix Version/s: 2.2
I've finally discovered a way to solve this issue with the new security api
we're currently implementing for Jetspeed 2.2, at least on Tomcat.
The Tomcat JAASRealm implementation actually will take use the Jetspeed
provided user principal for request.getUserPrincipal().
As we already provide the UserSubjectPrincipal wrapper as user principal,
getting hold of the Jetspeed provided subject is easy and so doesn't need to be
loaded/created twice (on Tomcat).
I've extended the SecurityValveImpl to first check if the current
request.getUserPrincipal() does implement UserSubjectPrincipal and then simply
return its containing (Jetspeed) Subject.
And, if it doesn't (like maybe on other containers), a protected Subject
resolveSubjectFromContainerPrincipal(RequestContext request, Principal
userPrincipal) method will be called which can be
extended to provide an alternative way of getting hold of the
UserSubjectPrincipal (if exist and possible), which currently simply returns
null.
> Subject object is abandoned after the JAAS authentication
> ---------------------------------------------------------
>
> Key: JS2-238
> URL: https://issues.apache.org/jira/browse/JS2-238
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security, SSO
> Affects Versions: 2.2
> Environment: JetSpeed-2.0-M3-dev, JDK1.4.2_07, Windows XP SP2
> Reporter: Jian Liao
> Assignee: Ate Douma
> Priority: Minor
> Fix For: 2.2
>
>
> I want to add a customized JAAS LoginModule to implement single sign-on. So I
> found the JAAS configuration file, login.conf, change it like this:
> Jetspeed {
> org.apache.jetspeed.security.impl.DefaultLoginModule required debug=true;
> com.xxx.xxx.LoginModelImpl optional debug=true;
> };
> I debug my LoginModuleImpl, everything is ok, I add my principal object and a
> credential object to the Subject object. But when I want to retrieve them
> back in the portlet, I just found to principal and credential created by
> DefaultLoginModule.
> Mine disappeared.
> So I look through all the source code of J2. I found that the Subject object
> created by LoginContext is abandoned after the successfully login. The first
> request after the login will new a Subject object in the SecurityValve, but
> this subject object is not created by LoginContext, but UserManager. Then put
> it into session. That is the reason I lost all my own principal and
> credential.
> I think that is not a good idea to create a new subject object after the
> login. It make JAAS authentication meaningless. Why don't we just put the
> subject object created by LoginContext into session with the attribute
> "org.apache.jetspeed.security.subject", right after the login.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
