Two ways:
httpSession.getAttribute("javax.security.auth.subject")or
Subject.getSubject(AccessControl.getContext())
-- Jeanfrancois
Matt Harrison wrote:
Sorry for mis-reading your email
If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it!
But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round?
I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem.
Matt
-----Original Message-----
From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED]
Sent: 20 July 2004 15:40
To: 'Tomcat Users List'
Subject: RE : how to access Subject after authentification
Thanks Matt !
My problem is that have to call EJB deployed in Weblogic application server
from servlet components. I use the weblogic api to propagate the security
information from tomcat to WLS. This api uses the subject! Thus it is
necessary that I can reach it.
-----Message d'origine-----
De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoy� : mardi 20 juillet 2004 15:59
� : 'Tomcat Users List'
Objet : RE: how to access Subject after authentification
Hi
I had a similar question a while back and never really got it fully
resolved, but I found that Tomcat doesn't save the subject as a session
attribute.
However in your case you don't need to access the subject. In the web.xml
file for your app, you can define what roles have access to each resource
(jsp, servlet) and have your JAAS login module assign these roles to the
subject - i.e. container managed security.
e.g. add to web.xml (gives access to logins with role "user" to all of your
application):
<security-constraint> <web-resource-collection> <web-resource-name>myApplication</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role>
see the tomcat docs for more info
Matt
-----Original Message-----
From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED]
Sent: 20 July 2004 14:42
To: '[EMAIL PROTECTED]'
Subject: how to access Subject after authentification
Hi,
I am using JAAS authentification module to authenticate user within tomcat
5.0.27.
After the authentification, I want to control access to resources (like ejb
deployed in weblogic application server).
To control access, I have to use weblogic api with the Subject instance
delivred by authentification to tomcat.
The problem is : how can I get the subject object.. I try
session.getAttribute( "javax.security.auth.subject" ); but it seems that I
can't access to this information !
Any ideas?
Thanks,
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
