Obtaining JAAS subject in a servlet.
G'day,
There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
Subject s = Subject.getSubject(AccessController.getContext());
Subject.doAs(s, new PrivilegedAction() {
public Object run() {
Subject s1 = Subject.getSubject(AccessController.getContext());
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
Subject s2 = Subject.getSubject(AccessController.getContext());
return null;
return null;
Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?
Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.
--Geoff
G'day,
Thanks for the link to the JAAS login module section of the SAP Library documentation.
I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.
However, I did stumble upon an API that might be useful:
Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
com.sap.security.core.IEngineResourceHelper helper =
(com.sap.security.core.IEngineResourceHelper) object;
Subject subject = helper.getCurrentSubject();
The class name InternalUMFactory suggests that this API may be undocumented or unstable.
If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.
If the servlet is not protected by a login module, then the subject returned is "Guest".
If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.
--Geoff
Similar Messages
-
Obtaining the JAAS subject in a portal application?
G'day,
Is there a safe method for obtaining the JAAS subject in a portal application?
There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
Subject s = Subject.getSubject(AccessController.getContext());
Subject.doAs(s, new PrivilegedAction() {
public Object run() {
Subject s1 = Subject.getSubject(AccessController.getContext());
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
Subject s2 = Subject.getSubject(AccessController.getContext());
return null;
return null;
Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
In fact, when I try the above code in a portal application (protected by the login module used to access the portal), I get NULL value for each subject s, s1, and s2.
I have found a Netweaver API that may be useful for obtaining the subject:
Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
com.sap.security.core.IEngineResourceHelper helper =
(com.sap.security.core.IEngineResourceHelper) object;
Subject subject = helper.getCurrentSubject();
A portal application containing this code will display the following:
Subject: Principal: tu-1_basic Principal: com.sap.security.api.logon.AuthSchemePrincipal@19b07b7 Private Credential: GSSCredential: name: [email protected] usage: INITIATE_AND_ACCEPT for mechs: 1.2.840.113554.1.2.2 usage:INITIATE_ONLY 1.2.840.113554.1.2.2.3 usage:INITIATE_AND_ACCEPT underlying Kerberos creds: TGT remaining lifetime = 594 Private Credential: com.sap.security.core.server.jaas.SAPLogonTicketCredential@6a527bdd
However, the class name InternalUMFactory suggests that this API may be undocumented or unstable.
Is there a documented API in Netweaver AS Java for obtaining the JAAS subject?
--GeoffHi,
We can use the following API to get the current role:
IWDNavigationHelperService wdNavHelperService =
(IWDNavigationHelperService) WDPortalUtils.getService(IWDNavigationHelperService.KEY);
String navNode = wdNavHelperService.getCurrentNavNode();
Regards,
Ganpati -
JAAS: How can I access the JAAS subject in an EJB?
Hello,
I try to understand the JAAS integration in J2EE 1.3.
I know:
J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
My question:
How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
Thank you for your answers
PeterMay be I should redefine my question:
If I use JAAS as J2EE-Realm, how can I receive the subject?
All JAAS-Tutorials contains code fragments like
LoginContext lc = new LoginContext("entryFoo");
try {
// authenticate the Subject
lc.login();
System.out.println("authentication successful");
// get the authenticated Subject
Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
Whom can I ask for the subject now?
There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
Peter -
Error while creating JAAS subject credentials
Hello,
I have a client program that runs in a separeate JVM accessing a server (on a different JVM of course). A user name and password is given as inputs to the client program. One of our testers have found out that any user name containing the "@" character seems to mess up the JAAS authentication. For example, as user names,
sunil.com will work.
[email protected] will not
sunil@xyz will not.
On the client side, I get a
"nested exception is: org.omg.CORBA.UNKNOWN: vmcid: SUN minor code: 202 completed: Maybe" error and on the server side I see the following
SEVERE: IOP5035: Error while creating a JAAS subject credential.
com.sun.enterprise.iiop.security.SecurityMechanismException: Unknown realm
at com.sun.enterprise.iiop.security.GSSUPToken.<init>(GSSUPToken.java:222)
at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.createAuthCred(SecServerRequestInterceptor.java:387)
at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:562)
at com.sun.corba.ee.internal.Interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:479)
at com.sun.corba.ee.internal.Interceptors.PIORB.invokeServerPIIntermediatePoint(PIORB.java:810)
at com.sun.corba.ee.internal.POA.GenericPOAServerSC.internalDispatch(GenericPOAServerSC.java:207)
at com.sun.corba.ee.internal.POA.GenericPOAServerSC.dispatch(GenericPOAServerSC.java:113)
at com.sun.corba.ee.internal.iiop.ORB.process(ORB.java:275)
at com.sun.corba.ee.internal.iiop.RequestProcessor.process(RequestProcessor.java:83)
at com.iplanet.ias.corba.ee.internal.iiop.ServicableWrapper.service(ServicableWrapper.java:25)
at com.iplanet.ias.util.threadpool.FastThreadPool$ThreadPoolThread.run(FastThreadPool.java:283)
at java.lang.Thread.run(Thread.java:536)
Does any one know if this is expected?I'm not using AS.
I have full permission on the file.
It's not a non-English environment.
So I feel it doesn't resemble.
My environment is on 11.1.0.6.0 and that note applies to Version: 10.1.3.0.0 to 10.1.3.1.0
Regards,
S.K.
Edited by: Santosh Kumar on Oct 7, 2009 4:25 PM -
Loading LDAP groups into WLS JAAS Subject
Hi,
I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
Thanks.Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB -
Obtaining a Subjects username and password from a servlet
Ok probably an easy one for people out there. I don't even know if it is
possible.
I have a servlet that has BASIC authentication going on (lets say it's using
WebLogic 7.0 default security realm). From the servlet I need to explicitly
obtain the user's username AND password. I have no problem retrieving the
principal it's the password I can't get a hold of. I've tried all sorts of
things like:
javax.security.auth.Subject subject =
weblogic.security.Security.getCurrentSubject(); and then trying to get the
private credentials. No luck though.
Any ideas? Is it possible?
MichThanks for the response Neil.
I need the password because my servlet is accessing a secure Web service.
When connecting to the Web service I need to provide the username and
password of the user (these are passed in String format) and I don't want to
have the user provide username and password again when accessing the
external Web service. So really I need to access the WLS security realm
(where my servlet is executing) to obtain the current user's username and
password. Will the default credential mapper in WLS give me the username
and password in text format...from the limited documentation I have read it
doesn't appear to. Is this correct?
Mich
"Neil Smithline" <[email protected]> wrote in message
news:[email protected]..
The password is not stored in the Subject. We do this to reduce the
risk of the password being snooped from WLS's memory. If you wish you
could write a LoginModule that puts the password in the private
credentials and then creates an authentication provider that uses that
LoginModule and make it part of the current realm.
In general there is no way to get the password from within WLS. The
passwords are stored in a salted one-way hashed format that is not
reverse decryptable except via exhaustive search.
Why do you need the password? If it is for a remote access can you use
the credential mapper?
- Neil
Michel Crichton wrote:
Ok probably an easy one for people out there. I don't even know if it
is
possible.
I have a servlet that has BASIC authentication going on (lets say it'susing
WebLogic 7.0 default security realm). From the servlet I need toexplicitly
obtain the user's username AND password. I have no problem retrievingthe
principal it's the password I can't get a hold of. I've tried all sortsof
things like:
javax.security.auth.Subject subject =
weblogic.security.Security.getCurrentSubject(); and then trying to getthe
private credentials. No luck though.
Any ideas? Is it possible?
Mich -
JAAS Subject with stale principals
I'm trying to figure out how to use JAAS and so far I have a more or less clear understanding of the authentication part. But I have some difficulty with the authorization part. Here is what I don't understand. Upon successful user authentication, a Subject is created and populated with principals that represent different aspects of the user. Those principals can be the user's roles (admin, document editor, document viewer, etc.) or they can be groups that the user is a member of (admins, backup operators, etc.) This information is somehow obtained by the login module right after authentication and used for determining the user's permissions from then on. But what happens if the user's group memebrship or the set of his or her roles changes after authentication? If the principal information comes from, say, an LDAP directory, then such changes will only be seen after the user logs out and logs back in, which is when the LDAP login module can do all the necessary searches to populate the Subject with principals.
What concerns me is that, if the Subject's principals aren't always up to date, there is risk that the user may have more privileges than what the system administrator thinks they do. Or is this how other security mechanisms work and therefore there is nothing to worry about?
Thanks.In your login module you have to authenticate the user to the Weblogic Server as
well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
to login a subject with Weblogic Server.
Once logged in, any thread that is invoked within the context of a Subject.doAs
call gets that subject associated with it.
Hope that helps
"Allan" <dfusdfsdfsd> wrote:
I looked at the JAAS docs and sample, but I'm still confused about
something. There is a sample of JAAS in a regular, non-EJB scenario.
The
client initializes the LoginContext, calls login(), then retrieves the
Subject (and possibly later does something with Subject.doAs()). However,
in
the typical EJB scenario, the client initializes the JNDI context, then
does
the lookup on the bean name (which implicitly does the authentication
to the
container). How do they work together, thought? I.e., what does the client
code look like if JAAS authentication is to be used from an EJB client?
Thank you! -
Hi,
I have to write a security framework for my J2EE application and it has to be
portable between appservers. I`m thinking about using JAAS and programmatic security.
I`ve written a LoginModule that does user authetication and loads all user credentials.
These credentials are app specific classes like WindowPermission.
How can I have access to these credentials from a servlet/EJB? Is there a way
to get the Subject and not just the Principal from a servlet/EJB?
Thanks,
LeonardoHi,
That's what I think too. I guess the only way to get the credentials is to
use a weblogic specific class that allows you to login an user from a servlet/jsp.
It does returns the Subject instead of a principal, so you can get the credentials...
seems like we'd need to change the J2EE api to further integrate JAAS with it.
Welll... back to handling security on my own :\
Regards,
Leonardo Bueno
"Utpal" <[email protected]> wrote:
I think EJBContext.getCallerPrincipal() and
HttpServletRequest.getRemoteUser() are the only method
to get the principal. I don't think subject can be accessed in the
EJB/Servlet using standard APIs.
-utpal
"Leonardo Bueno" <[email protected]> wrote in message
news:3ef74da0$[email protected]..
Hi,
I have to write a security framework for my J2EE application and ithas to
be
portable between appservers. I`m thinking about using JAAS andprogrammatic security.
I`ve written a LoginModule that does user authetication and loads alluser
credentials.
These credentials are app specific classes like WindowPermission.
How can I have access to these credentials from a servlet/EJB? Is therea
way
to get the Subject and not just the Principal from a servlet/EJB?
Thanks,
Leonardo -
Subject.getSubject in servlet container
Hi All,
Interested if the following code will produce a Subject that was authenticated by a JAAS module.
This code is to be executed in the servlet container after the LoginModule.login() was done and number of subsequent requests to the secured web/ejb resources.
AccessControlContext context = AccessController.getContext();
return Subject.getSubject(context);The reason for this question is a LoginContext.logout API. I will need a subject to logout with.
From what I read on JAAS and security implementation in different containers, they all have a way of getting to the current request Subject, but all of the ways a proprietary as they require a call to the app server specific API. I would like to have a portable application and would like not to create factories and facades to hide the proprietary APIs from end user. The above code is the only one I know in JDK that will achive that goal but I haven't tested it in any servlet/ejb container yet.
I can always pop a Subject into an HttpSession after a login, but I don't know if that is the correct usage pattern or Subject.getSubject should be used or app server specific api should be used.
It seems that all of the articles that talk about JAAS are dealing with a stand-alone clients accessing EJBs, and none go into a detailed analysis of JAAS in a web application or discuss usage patterns for web apps.
Thanks
DmitryHi,
the issue you are facing will probably be discussed in the next version of the Servlet spec. As of now, getting the Subject from the AccessControllerContext is one possibility (PE 8.0 does it), but other container may not do it.
In Tomcat and PE, you can retrieve the Subject using the HttpSession key: javax.security.auth.subject.
Still, this will not be portable. So adding your own key is probably the way to go if you look for portability.
Thanks
-- Jeanfrancois -
Propagating JAAS Subject for startup classes
Do startup classes have to login before they can access secured
resources in WLS 6.0? I notice that WLS 6.0 asks for a password before
starting the server. Is the "subject" created by that login somehow
propagated to startup class threads (and their thread offspring) or does
this have to be done manually?
I want to try to set up startup classes using a security style similar
to the Unix init process. It starts up as root and then starts its
services/daemons using something like:
su - foo-user foo-daemon
The foo-daemon runs as foo-user and, in Unix, so does every process
forked by the foo-daemon. I would like to use a parallel approach in
WLS. Can it be done?
Thanks,
Tim TaylorHi,
That's what I think too. I guess the only way to get the credentials is to
use a weblogic specific class that allows you to login an user from a servlet/jsp.
It does returns the Subject instead of a principal, so you can get the credentials...
seems like we'd need to change the J2EE api to further integrate JAAS with it.
Welll... back to handling security on my own :\
Regards,
Leonardo Bueno
"Utpal" <[email protected]> wrote:
I think EJBContext.getCallerPrincipal() and
HttpServletRequest.getRemoteUser() are the only method
to get the principal. I don't think subject can be accessed in the
EJB/Servlet using standard APIs.
-utpal
"Leonardo Bueno" <[email protected]> wrote in message
news:3ef74da0$[email protected]..
Hi,
I have to write a security framework for my J2EE application and ithas to
be
portable between appservers. I`m thinking about using JAAS andprogrammatic security.
I`ve written a LoginModule that does user authetication and loads alluser
credentials.
These credentials are app specific classes like WindowPermission.
How can I have access to these credentials from a servlet/EJB? Is therea
way
to get the Subject and not just the Principal from a servlet/EJB?
Thanks,
Leonardo -
How to get both JDNI context and JAAS Subject with EJB
I looked at the JAAS docs and sample, but I'm still confused about
something. There is a sample of JAAS in a regular, non-EJB scenario. The
client initializes the LoginContext, calls login(), then retrieves the
Subject (and possibly later does something with Subject.doAs()). However, in
the typical EJB scenario, the client initializes the JNDI context, then does
the lookup on the bean name (which implicitly does the authentication to the
container). How do they work together, thought? I.e., what does the client
code look like if JAAS authentication is to be used from an EJB client?
Thank you!In your login module you have to authenticate the user to the Weblogic Server as
well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
to login a subject with Weblogic Server.
Once logged in, any thread that is invoked within the context of a Subject.doAs
call gets that subject associated with it.
Hope that helps
"Allan" <dfusdfsdfsd> wrote:
I looked at the JAAS docs and sample, but I'm still confused about
something. There is a sample of JAAS in a regular, non-EJB scenario.
The
client initializes the LoginContext, calls login(), then retrieves the
Subject (and possibly later does something with Subject.doAs()). However,
in
the typical EJB scenario, the client initializes the JNDI context, then
does
the lookup on the bean name (which implicitly does the authentication
to the
container). How do they work together, thought? I.e., what does the client
code look like if JAAS authentication is to be used from an EJB client?
Thank you! -
The weblogic.security.Security.runAs() and JAAS Subject
Let say that I have Java client with some JAAS code that authenticates
the user. The LoginContext generates a Subject containing the Principal
name of the authenticated user, but also some private credentials that
makes the Subject secure.
Now I want to call an EJB on WLS.
Having JNDI (EJB) code inside a PriviledgesAction and using the
weblogic.security.Security.runAs() method, I assume that the Subject is
sent over the wire with the EJB call. If not, please correct me.
Question is: How does WLS authenticate this call? What modules are
called? IdentityAsserter? LoginModule? Is the Subject simply assumed
"valid"? Any documentation describing how this is done?
/BoHi,
Problem is solved, we also got security exception when we tried to call MBeans.For this to work we have to set
-Dweblogic.disableMBeanAuthorization=true in weblogic startup script so that our application can access MBeans.
Thanks
girish -
How to obtain the Subject from the current context ?
Im working on a SSO project and everything is fine with getting the Principal from a HttpServletRequest object or from an EJBs SessionContext. But, I have some business logic that is not necessarily behind a SLSB (as a façade patter) and I dont want to propagate the Principal reference from Presentation to the Business Layer. Thats why, I would like too know if OC4J has some sort of utility to get the current authenticated Subject.
Thanks for your help
Miguel A. Onofre R.Hi,
is it possible to obtain the current ApplicationModule from an EntityImpl?No. But you can get to the root ApplicationModule that holds the DBTransaction object from
getDBTransaction().getRootApplicationModule() - new in JDev 903. -
How do I get the JAAS Subject for an authenticated user?
Hi
I searched through the site, but didn't find anything useful.
I came across many instances of using the javax.security.auth.login.LoginContext
to get the Subject, but am not sure how to get a handle for it, after the login process is completed and the usre is authenticated.
RG.WLS has a static method for returning the javax.security.auth.Subject :
http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/Security.html#getCurrentSubject() -
Principal(s) present in a Subject not propagated to EJBs
We are a team of students developing a J2EE web application and want to provide for security using JAAS and a combination of programmatic and declarative security.
Development Environment:
Sun Java System Application Server 1.4
J2EE 1.4, J2SE 1.4.2, Eclipse 2.1, Struts 1.1, MySQL
We have developed a custom LoginModule (along the lines of the article http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas.html)
User Id and password are taken from a jsp page and authenticated using passwords in a MySQL db.
After authentication, a Subject object (javax.security.auth.Subject) containing appropriate principals (com.sun.enterprise.deployment.PrincipalImpl) is put into the user session.
Declarative security (roles, role references, principal mappings, method permissions) are defined for EJBs in the ejb-jar.xml, sun-ejb-jar.xml, application.xml and sun-application.xml. A call to an EJB method is done by creating a PrivilegedAction wrapper, obtaining the subject from the session and executing the statement:
Subject.doAsPrivileged(subject, new PrivilegedAction() {
public Object run() {
myEjb.methodA();
return null;
}, null);
The Problem:
In the EJB method the PrincipalCollection returned by SessionContext.getCallerPrincipal() shows the caller to be ANONYMOUS (I got this after commenting out the ejb method permissions and letting the method be accessed unchecked). The identity with which the call is made is not being propagated.
I have been banging my head on the problem for around 2 weeks and still no breakthrough. Could you please provide some guidance or comments as to what might be the problem.
Thanks
Best Regards
Rajat Agrawal
SSN School of Advanced Software Engineering
Kalavakkam, Tamil Nadu
IndiaHi
To plugin a custom login mechanism - you will need to do the following:
http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html
We support custom login modules - but for the subject to have the principals that you want from your loginmodule - you will have to hook your LoginModule through the realms infrastructure.
- thanks
Harpreet
Maybe you are looking for
-
Can multiple web pages use the same cookie?
I have an applet that will reside in several different web pages. The applet creates a cookie that saves user preferences and loads them when the user next uses the applet. The problem is that I want the same cookie to load when the user views the sa
-
whenever i try to burn a CD, it always ejects the CD and comes up with "the attempt to burn a disc failed. an unknown error occured(2131)" all i want is a CD for my new car! help!!!!!!
-
hi, tell me, How you will check whether database is active or not from OS level? - --
-
Time displayed as NaN:NaN:NaN PM
`Hi All, I have Time from Odata model, property of the entity is Edm.Time When it is mapped on the UI5 application, it display as NaN:NaN:NaN PM Below is the code used for formatting: var oInsptmTxt = new sap.m.Text({text: {path: "Time", formatter:
-
Repeated Full GC even though heap is empty
Hi, These are the options specified to the VM. The box has 16gigs of memory on it. XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintTenuringDistribution -XX:MaxPermSize=500m -XX:PermSize=500m -XX:MaxNewSize=412