on 02-06-2008 8:59 PM
G'day,
There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
Subject s = Subject.getSubject(AccessController.getContext());
Subject.doAs(s, new PrivilegedAction() {
public Object run() {
Subject s1 = Subject.getSubject(AccessController.getContext());
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
Subject s2 = Subject.getSubject(AccessController.getContext());
return null;
}
}
return null;
}
}
Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?
Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.
--Geoff
Hi,
this security stuff is not my level of expertise, but maybe the right section of the manuals can help:
[http://help.sap.com/saphelp_nw70/helpdata/en/b9/9482887ddb3e47bd1a738c3e900195/frameset.htm]
Check here and come back if something is missing.
Regards,
Benny
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
G'day,
Thanks for the link to the JAAS login module section of the SAP Library documentation.
I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.
However, I did stumble upon an API that might be useful:
Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
com.sap.security.core.IEngineResourceHelper helper =
(com.sap.security.core.IEngineResourceHelper) object;
Subject subject = helper.getCurrentSubject();
}
The class name InternalUMFactory suggests that this API may be undocumented or unstable.
If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.
If the servlet is not protected by a login module, then the subject returned is "Guest".
If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.
--Geoff
Geoff,
I'll forward you to the security forum, as I hope they know better then me...
Regards,
Benny
*******************
Sorry, for some reason couldn't do this. Please try in the security forum, I'll check how to move this thread...
Regards,
Benny
Edited by: Benny Schaich-Lebek on Feb 8, 2008 10:22 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.