You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim K <ti...@gmail.com> on 2019/01/17 12:46:40 UTC
javax.security.auth.subject within session
When I dump the session object of an authenticated (JNDIRealm) user on my
local dev environment versus my development server, for some reason
the javax.security.auth.subject shows up on the dev server but not my
local. I also spun up a docker container with pretty much default tomcat
config and javax.security.auth.subject doesn't show up in the session
object there either. My code is exactly the same in all envs, is there
something within tomcat configuration which would determine if
javax.security.auth.subject is added to the session object? I can't figure
out the difference why it's on one instance but not the other.
Re: javax.security.auth.subject within session
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2019 14:06, Tim K wrote:
> On Thu, Jan 17, 2019, 8:09 AM Mark Thomas <markt@apache.org wrote:
>
>> On 17/01/2019 12:46, Tim K wrote:
>>> When I dump the session object of an authenticated (JNDIRealm) user on my
>>> local dev environment versus my development server, for some reason
>>> the javax.security.auth.subject shows up on the dev server but not my
>>> local. I also spun up a docker container with pretty much default tomcat
>>> config and javax.security.auth.subject doesn't show up in the session
>>> object there either. My code is exactly the same in all envs, is there
>>> something within tomcat configuration which would determine if
>>> javax.security.auth.subject is added to the session object? I can't
>> figure
>>> out the difference why it's on one instance but not the other.
>>
>> At a guess, the development server is running under a SecurityManager
>> whereas the other environments are not.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Thank you! You are correct; I had disabled security locally because the
> eclipse paths were much different than the servers so I just disabled it to
> get it running locally. I presume this value in the session for the
> javax.security.auth.subject is consistent as long as security is enabled?
Yes, see:
https://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?view=annotate#l1941
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: javax.security.auth.subject within session
Posted by Tim K <ti...@gmail.com>.
On Thu, Jan 17, 2019, 8:09 AM Mark Thomas <markt@apache.org wrote:
> On 17/01/2019 12:46, Tim K wrote:
> > When I dump the session object of an authenticated (JNDIRealm) user on my
> > local dev environment versus my development server, for some reason
> > the javax.security.auth.subject shows up on the dev server but not my
> > local. I also spun up a docker container with pretty much default tomcat
> > config and javax.security.auth.subject doesn't show up in the session
> > object there either. My code is exactly the same in all envs, is there
> > something within tomcat configuration which would determine if
> > javax.security.auth.subject is added to the session object? I can't
> figure
> > out the difference why it's on one instance but not the other.
>
> At a guess, the development server is running under a SecurityManager
> whereas the other environments are not.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Thank you! You are correct; I had disabled security locally because the
eclipse paths were much different than the servers so I just disabled it to
get it running locally. I presume this value in the session for the
javax.security.auth.subject is consistent as long as security is enabled?
Re: javax.security.auth.subject within session
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2019 12:46, Tim K wrote:
> When I dump the session object of an authenticated (JNDIRealm) user on my
> local dev environment versus my development server, for some reason
> the javax.security.auth.subject shows up on the dev server but not my
> local. I also spun up a docker container with pretty much default tomcat
> config and javax.security.auth.subject doesn't show up in the session
> object there either. My code is exactly the same in all envs, is there
> something within tomcat configuration which would determine if
> javax.security.auth.subject is added to the session object? I can't figure
> out the difference why it's on one instance but not the other.
At a guess, the development server is running under a SecurityManager
whereas the other environments are not.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org