cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Obtaining JAAS subject in a servlet.

Go to solution
Former Member

on ‎02-06-2008 8:59 PM

0 Kudos

G'day,

There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:


Subject s = Subject.getSubject(AccessController.getContext());
Subject.doAs(s, new PrivilegedAction() {
  public Object run() {
    Subject s1 = Subject.getSubject(AccessController.getContext());
    AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
        Subject s2 = Subject.getSubject(AccessController.getContext());
        return null;
      }
    }
    return null;
  }
}

Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).

Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?

Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.

--Geoff

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Benny
Product and Topic Expert
Product and Topic Expert
‎02-07-2008 3:03 PM
0 Kudos

Hi,

this security stuff is not my level of expertise, but maybe the right section of the manuals can help:

[http://help.sap.com/saphelp_nw70/helpdata/en/b9/9482887ddb3e47bd1a738c3e900195/frameset.htm]

Check here and come back if something is missing.

Regards,

Benny

Show replies
Show replies
Former Member
‎02-07-2008 11:13 PM
0 Kudos

G'day,

Thanks for the link to the JAAS login module section of the SAP Library documentation.

I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.

However, I did stumble upon an API that might be useful:


Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
  com.sap.security.core.IEngineResourceHelper helper = 
      (com.sap.security.core.IEngineResourceHelper) object;
  Subject subject = helper.getCurrentSubject();
}

The class name InternalUMFactory suggests that this API may be undocumented or unstable.

If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.

If the servlet is not protected by a login module, then the subject returned is "Guest".

If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.

--Geoff

Answers (1)

Answers (1)

Benny
Product and Topic Expert
Product and Topic Expert
‎02-08-2008 9:19 AM
0 Kudos

Geoff,

I'll forward you to the security forum, as I hope they know better then me...

Regards,

Benny

*******************

Sorry, for some reason couldn't do this. Please try in the security forum, I'll check how to move this thread...

Regards,

Benny

Edited by: Benny Schaich-Lebek on Feb 8, 2008 10:22 AM

Show replies
Show replies
Former Member
‎02-12-2008 3:24 AM
0 Kudos

G'day,

I have posted a variant of this question on the Security forum:

--Geoff

Ask a Question