You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2024/02/01 16:34:01 UTC
Re: How does the user principal get set on the servlet container session?
On 31/01/2024 00:15, Ryan Esch wrote:
> From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login.
> How do I set the principal on the session in my custom login module?
Is this a JAAS login module or something else?
> I have tried a number of things, including:
> HttpSession session = request.getSession();
>
> // Retrieve or create the Subject
> Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
> if (subject == null) {
> subject = new Subject();
> session.setAttribute("javax.security.auth.subject", subject);
> }
> subject.getPrincipals().size());
>
> Principal customPrincipal = new CustomPrincipal("Random Username");
> subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication?
> Thank you for any input or advice. I'd be happy to share additional details.Ryan
Take a look at AuthenticatorBase.register()
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How does the user principal get set on the servlet container session?
Posted by Mark Thomas <ma...@apache.org>.
On 01/02/2024 17:48, Ryanesch@yahoo wrote:
>
>>
>> On Feb 1, 2024, at 10:34 AM, Mark Thomas <ma...@apache.org> wrote:
>>
>> On 31/01/2024 00:15, Ryan Esch wrote:
>>> From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login.
>>> How do I set the principal on the session in my custom login module?
>>
>> Is this a JAAS login module or something else?
>>
>>> I have tried a number of things, including:
>>> HttpSession session = request.getSession();
>>> // Retrieve or create the Subject
>>> Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
>>> if (subject == null) {
>>> subject = new Subject();
>>> session.setAttribute("javax.security.auth.subject", subject);
>>> }
>>> subject.getPrincipals().size());
>>> Principal customPrincipal = new CustomPrincipal("Random Username");
>>> subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication?
>>> Thank you for any input or advice. I'd be happy to share additional details.Ryan
>>
>> Take a look at AuthenticatorBase.register()
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create my principal, the user principal is finally set on the subject. However, when I use a custom principal, it is not set on the subject correctly. Even if I copy SimplePrincipal exactly or extend it. Note that “correctly” means that I get something returned from request.getUserPrincipal. There must be something behind the scenes that checks for exactly SimplePrincipal?
https://tomcat.apache.org/tomcat-11.0-doc/config/realm.html#JAAS_Realm_-_org.apache.catalina.realm.JAASRealm
Search for userClassNames. You may also need roleClassNames.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How does the user principal get set on the servlet container session?
Posted by "Ryanesch@yahoo" <ry...@yahoo.com.INVALID>.
>
> On Feb 1, 2024, at 10:34 AM, Mark Thomas <ma...@apache.org> wrote:
>
> On 31/01/2024 00:15, Ryan Esch wrote:
>> From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and UsersRoleLoginModule defined in jaas.conf which is working fine. I want to add an additional method of login.
>> How do I set the principal on the session in my custom login module?
>
> Is this a JAAS login module or something else?
>
>> I have tried a number of things, including:
>> HttpSession session = request.getSession();
>> // Retrieve or create the Subject
>> Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
>> if (subject == null) {
>> subject = new Subject();
>> session.setAttribute("javax.security.auth.subject", subject);
>> }
>> subject.getPrincipals().size());
>> Principal customPrincipal = new CustomPrincipal("Random Username");
>> subject.getPrincipals().add(customPrincipal);All my calls to request.getUserPrincipal() are null so of course my custom login fails.Alternatively/additionally, can I configure the container to also check for an access token for authentication?
>> Thank you for any input or advice. I'd be happy to share additional details.Ryan
>
> Take a look at AuthenticatorBase.register()
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Yes, this is jaas. I’ve realized that if I use jboss’ SimplePrincipal to create my principal, the user principal is finally set on the subject. However, when I use a custom principal, it is not set on the subject correctly. Even if I copy SimplePrincipal exactly or extend it. Note that “correctly” means that I get something returned from request.getUserPrincipal. There must be something behind the scenes that checks for exactly SimplePrincipal?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org