Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
JBossAS-3.2.6 Final
-
None
Description
SourceForge Submitter: jhouse .
(JBoss 3.2.1 and Jboss-Jetty 3.2.2)
I've come accross an issue with the JBoss-Jetty
integration.
I've got Form-based authentication turned on. Have a
JBoss security realm defined with a
"DatabaseServerLoginModule" as the login module.
Almost everything works fine: Authentication happens,
and the request is able to return the userPrincipal and
do isUserInRole() checks perfectly.
The problem lies in that the Subject (although it was
placed in the request by the login module – which I
can verify in the logs) is lost from the Request as
isAuthenticated() is called on the principal. – so by
time I try to retrieve the Subject from the request
(with request.getAttribute("j_subject")) it is missing.
I've had the help of the Jetty folks in trying to track
down what the issue is, and finally got the following
response from Jan Bartel:
==============================
Are you using FORM based authentication? If so, I think
I know what is happening. With FORM based
authentication, the realm's authenticate() method is
only called at login time, subsequent requests will
cause isAuthenticated() on the UserPrincipal set in the
request to be called instead.
Unfortunately, the isAuthenticated() method on the
UserPrincipal on the JBoss/Jetty integration doesn't
set the Subject back into the request as it should. You
should raise a bug with the JBoss guys, but since
they've recently removed everyone here at MortBay's CVS
write access, getting a fix into the JBoss code might
prove difficult 
As a work around, you could try getting the subject
from the security manager. Try something like:
org.jboss.security.SubjectSecurityManager mgr =
(SubjectSecurityManager)ctx.lookup("java:comp/env/security/securityMgr");
Subject subject = mgr.getActiveSubject();
Jan
