Re: How does the user principal get set on the servlet container session?
On 01/02/2024 17:48, Ryanesch@yahoo wrote: On Feb 1, 2024, at 10:34 AM, Mark Thomas wrote: On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login. How do I set the principal on the session in my custom login module? Is this a JAAS login module or something else? I have tried a number of things, including: HttpSession session = request.getSession(); // Retrieve or create the Subject Subject subject = (Subject) session.getAttribute("javax.security.auth.subject"); if (subject == null) { subject = new Subject(); session.setAttribute("javax.security.auth.subject", subject); } subject.getPrincipals().size()); Principal customPrincipal = new CustomPrincipal("Random Username"); subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication? Thank you for any input or advice. I'd be happy to share additional details.Ryan Take a look at AuthenticatorBase.register() Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create my principal, the user principal is finally set on the subject. However, when I use a custom principal, it is not set on the subject correctly. Even if I copy SimplePrincipal exactly or extend it. Note that “correctly” means that I get something returned from request.getUserPrincipal. There must be something behind the scenes that checks for exactly SimplePrincipal? https://tomcat.apache.org/tomcat-11.0-doc/config/realm.html#JAAS_Realm_-_org.apache.catalina.realm.JAASRealm Search for userClassNames. You may also need roleClassNames. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How does the user principal get set on the servlet container session?
> > On Feb 1, 2024, at 10:34 AM, Mark Thomas wrote: > > On 31/01/2024 00:15, Ryan Esch wrote: >> From what I understand, the container knows if a user is authenticated by >> using the session id passed to it and then looking up the user principal. If >> this is non-null, the user is authenticated. I am using web.xml with >> security constraints and UsersRoleLoginModule defined in jaas.conf which is >> working fine. I want to add an additional method of login. >> How do I set the principal on the session in my custom login module? > > Is this a JAAS login module or something else? > >> I have tried a number of things, including: >> HttpSession session = request.getSession(); >> // Retrieve or create the Subject >> Subject subject = (Subject) >> session.getAttribute("javax.security.auth.subject"); >> if (subject == null) { >> subject = new Subject(); >> session.setAttribute("javax.security.auth.subject", subject); >> } >> subject.getPrincipals().size()); >> Principal customPrincipal = new CustomPrincipal("Random Username"); >> subject.getPrincipals().add(customPrincipal);All my calls to >> request.getUserPrincipal() are null so of course my custom login >> fails.Alternatively/additionally, can I configure the container to also >> check for an access token for authentication? >> Thank you for any input or advice. I'd be happy to share additional >> details.Ryan > > Take a look at AuthenticatorBase.register() > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create my principal, the user principal is finally set on the subject. However, when I use a custom principal, it is not set on the subject correctly. Even if I copy SimplePrincipal exactly or extend it. Note that “correctly” means that I get something returned from request.getUserPrincipal. There must be something behind the scenes that checks for exactly SimplePrincipal? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How does the user principal get set on the servlet container session?
On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login. How do I set the principal on the session in my custom login module? Is this a JAAS login module or something else? I have tried a number of things, including: HttpSession session = request.getSession(); // Retrieve or create the Subject Subject subject = (Subject) session.getAttribute("javax.security.auth.subject"); if (subject == null) { subject = new Subject(); session.setAttribute("javax.security.auth.subject", subject); } subject.getPrincipals().size()); Principal customPrincipal = new CustomPrincipal("Random Username"); subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication? Thank you for any input or advice. I'd be happy to share additional details.Ryan Take a look at AuthenticatorBase.register() Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How does the user principal get set on the servlet container session?
What should happen if session.getAttribute("javax.security.auth.subject") returns a non-null value? -Terence Bandoian On 1/30/2024 5:15 PM, Ryan Esch wrote: >From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login. How do I set the principal on the session in my custom login module? I have tried a number of things, including: HttpSession session = request.getSession(); // Retrieve or create the Subject Subject subject = (Subject) session.getAttribute("javax.security.auth.subject"); if (subject == null) { subject = new Subject(); session.setAttribute("javax.security.auth.subject", subject); } subject.getPrincipals().size()); Principal customPrincipal = new CustomPrincipal("Random Username"); subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication? Thank you for any input or advice. I'd be happy to share additional details.Ryan