subject:"Re\: How does the user principal get set on the servlet container session\?"

Re: How does the user principal get set on the servlet container session?

2024-02-01 Thread Mark Thomas





On 01/02/2024 17:48, Ryanesch@yahoo wrote:




On Feb 1, 2024, at 10:34 AM, Mark Thomas  wrote:

On 31/01/2024 00:15, Ryan Esch wrote:

 From what I understand, the container knows if a user is authenticated by 
using the session id passed to it and then looking up the user principal. If 
this is non-null, the user is authenticated. I am using web.xml with security 
constraints and UsersRoleLoginModule defined in jaas.conf which is working 
fine. I want to add an additional method of login.
How do I set the principal on the session in my custom login module?


Is this a JAAS login module or something else?


I have tried a number of things, including:
HttpSession session = request.getSession();
// Retrieve or create the Subject
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
 subject = new Subject();
 session.setAttribute("javax.security.auth.subject", subject);
}
subject.getPrincipals().size());
Principal customPrincipal = new CustomPrincipal("Random Username");
subject.getPrincipals().add(customPrincipal);All my calls to 
request.getUserPrincipal() are null so of course my custom login 
fails.Alternatively/additionally, can I configure the container to also check 
for an access token for authentication?
Thank you for any input or advice. I'd be happy to share additional details.Ryan


Take a look at AuthenticatorBase.register()

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create 
my principal, the user principal is finally set on the subject. However, when I 
use a custom principal, it is not set on the subject correctly. Even if I copy 
SimplePrincipal exactly or extend it. Note that “correctly” means that I get 
something returned from request.getUserPrincipal. There must be something 
behind the scenes that checks for exactly SimplePrincipal?


https://tomcat.apache.org/tomcat-11.0-doc/config/realm.html#JAAS_Realm_-_org.apache.catalina.realm.JAASRealm

Search for userClassNames. You may also need roleClassNames.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How does the user principal get set on the servlet container session?

2024-02-01 Thread Ryanesch@yahoo



> 
> On Feb 1, 2024, at 10:34 AM, Mark Thomas  wrote:
> 
> On 31/01/2024 00:15, Ryan Esch wrote:
>> From what I understand, the container knows if a user is authenticated by 
>> using the session id passed to it and then looking up the user principal. If 
>> this is non-null, the user is authenticated. I am using web.xml with 
>> security constraints and UsersRoleLoginModule defined in jaas.conf which is 
>> working fine. I want to add an additional method of login.
>> How do I set the principal on the session in my custom login module?
> 
> Is this a JAAS login module or something else?
> 
>> I have tried a number of things, including:
>> HttpSession session = request.getSession();
>> // Retrieve or create the Subject
>> Subject subject = (Subject) 
>> session.getAttribute("javax.security.auth.subject");
>> if (subject == null) {
>> subject = new Subject();
>> session.setAttribute("javax.security.auth.subject", subject);
>> }
>> subject.getPrincipals().size());
>> Principal customPrincipal = new CustomPrincipal("Random Username");
>> subject.getPrincipals().add(customPrincipal);All my calls to 
>> request.getUserPrincipal() are null so of course my custom login 
>> fails.Alternatively/additionally, can I configure the container to also 
>> check for an access token for authentication?
>> Thank you for any input or advice. I'd be happy to share additional 
>> details.Ryan
> 
> Take a look at AuthenticatorBase.register()
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create 
my principal, the user principal is finally set on the subject. However, when I 
use a custom principal, it is not set on the subject correctly. Even if I copy 
SimplePrincipal exactly or extend it. Note that “correctly” means that I get 
something returned from request.getUserPrincipal. There must be something 
behind the scenes that checks for exactly SimplePrincipal?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How does the user principal get set on the servlet container session?

2024-02-01 Thread Mark Thomas


On 31/01/2024 00:15, Ryan Esch wrote:

 From what I understand, the container knows if a user is authenticated by 
using the session id passed to it and then looking up the user principal. If 
this is non-null, the user is authenticated. I am using web.xml with security 
constraints and UsersRoleLoginModule defined in jaas.conf which is working 
fine. I want to add an additional method of login.
How do I set the principal on the session in my custom login module?


Is this a JAAS login module or something else?


I have tried a number of things, including:
HttpSession session = request.getSession();

// Retrieve or create the Subject
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
 subject = new Subject();
 session.setAttribute("javax.security.auth.subject", subject);
}
subject.getPrincipals().size());

Principal customPrincipal = new CustomPrincipal("Random Username");
subject.getPrincipals().add(customPrincipal);All my calls to 
request.getUserPrincipal() are null so of course my custom login 
fails.Alternatively/additionally, can I configure the container to also check 
for an access token for authentication?
Thank you for any input or advice. I'd be happy to share additional details.Ryan


Take a look at AuthenticatorBase.register()

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How does the user principal get set on the servlet container session?

2024-01-30 Thread Terence M. Bandoian

What should happen if 
session.getAttribute("javax.security.auth.subject") returns a non-null 
value?


-Terence Bandoian

On 1/30/2024 5:15 PM, Ryan Esch wrote:

>From what I understand, the container knows if a user is authenticated by 
using the session id passed to it and then looking up the user principal. If this 
is non-null, the user is authenticated. I am using web.xml with security 
constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I 
want to add an additional method of login.
How do I set the principal on the session in my custom login module? I have 
tried a number of things, including:
HttpSession session = request.getSession();

// Retrieve or create the Subject
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
 subject = new Subject();
 session.setAttribute("javax.security.auth.subject", subject);
}
subject.getPrincipals().size());

Principal customPrincipal = new CustomPrincipal("Random Username");
subject.getPrincipals().add(customPrincipal);All my calls to 
request.getUserPrincipal() are null so of course my custom login 
fails.Alternatively/additionally, can I configure the container to also check 
for an access token for authentication?
Thank you for any input or advice. I'd be happy to share additional details.Ryan

Re: How does the user principal get set on the servlet container session?

Re: How does the user principal get set on the servlet container session?

Re: How does the user principal get set on the servlet container session?

Re: How does the user principal get set on the servlet container session?

4 matches

Site Navigation

Mail list logo

Footer information