What should happen if
session.getAttribute("javax.security.auth.subject") returns a non-null
value?
-Terence Bandoian
On 1/30/2024 5:15 PM, Ryan Esch wrote:
>From what I understand, the container knows if a user is authenticated by
using the session id passed to it and then looking up the user principal. If this
is non-null, the user is authenticated. I am using web.xml with security
constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I
want to add an additional method of login.
How do I set the principal on the session in my custom login module? I have
tried a number of things, including:
HttpSession session = request.getSession();
// Retrieve or create the Subject
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
subject = new Subject();
session.setAttribute("javax.security.auth.subject", subject);
}
subject.getPrincipals().size());
Principal customPrincipal = new CustomPrincipal("Random Username");
subject.getPrincipals().add(customPrincipal);All my calls to
request.getUserPrincipal() are null so of course my custom login
fails.Alternatively/additionally, can I configure the container to also check
for an access token for authentication?
Thank you for any input or advice. I'd be happy to share additional details.Ryan