You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by "Ate Douma (JIRA)" <je...@portals.apache.org> on 2008/09/26 00:49:46 UTC

[jira] Resolved: (JS2-238) Subject object is abandoned after the JAAS authentication

     [ https://issues.apache.org/jira/browse/JS2-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ate Douma resolved JS2-238.
---------------------------

    Resolution: Fixed

Works at least for Tomcat and we now have extension points available to (potentially) support other containers as well.

Note: this feature is currently still under the security_refactoring branch but that will soon be promoted to trunk again. 

> Subject object is abandoned after the JAAS authentication
> ---------------------------------------------------------
>
>                 Key: JS2-238
>                 URL: https://issues.apache.org/jira/browse/JS2-238
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security, SSO
>    Affects Versions: 2.2
>         Environment: JetSpeed-2.0-M3-dev, JDK1.4.2_07, Windows XP SP2
>            Reporter: Jian Liao
>            Assignee: Ate Douma
>            Priority: Minor
>             Fix For: 2.2
>
>
> I want to add a customized JAAS LoginModule to implement single sign-on. So I found the JAAS configuration file, login.conf, change it like this:
> Jetspeed {
>    org.apache.jetspeed.security.impl.DefaultLoginModule required debug=true;
>    com.xxx.xxx.LoginModelImpl optional debug=true;
> };
> I debug my LoginModuleImpl, everything is ok, I add my principal object and a credential object to the Subject object. But when I want to retrieve them back in the portlet, I just found to principal and credential created by DefaultLoginModule.
> Mine disappeared.
> So I look through all the source code of J2. I found that the Subject object created by LoginContext is abandoned after the successfully login. The first request after the login will new a Subject object in the SecurityValve, but this subject object is not created by LoginContext, but UserManager. Then put it into session. That is the reason I lost all my own principal and credential.
> I think that is not a good idea to create a new subject object after the login. It make JAAS authentication meaningless. Why don't we just put the subject object created by LoginContext into session with the attribute "org.apache.jetspeed.security.subject", right after the login. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org