glassfish
  1. glassfish
  2. GLASSFISH-20915

Custom Principal is not propagated to the getCallerPrincipal() method in com.sun.enterprise.security.SecurityContext

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Works as designed
    • Affects Version/s: 3.1_b02, 3.1_ms01, 3.1_b03, 3.1_b05, 3.1_b06, 3.1_ms02, 3.1_b07, 3.1_b08, 3.1_b10, 3.1_ms03, 3.1_b12, 3.1_b13, 3.1_b14, 3.1_b15, 3.1_b16, 3.1_ms04, 3.1_b17, 3.1_b18, 3.1_b19, 3.1_b20, 3.1_ms05, 3.1_b21, 3.1_b22, 3.1_b23, 3.1_b24, 3.1_b25, 3.1_b26, 3.1_ms06, 3.1_b27, 3.1_b28, 3.1_b29, 3.1_b30, 3.1_b31, 3.1_b32, 3.1_ms07, 3.1_b33, 3.1_b34, 3.1_b35, 3.1_b36, 3.1_b37, 3.1_b38, 3.1_b39, 3.1_b40, 3.1_b41 , 3.1_b42, 3.1_b43, 3.1_ms08, 3.1, 3.1.1_b01, 3.1.1_b02, 3.1.1_b03 , 3.1.1_b04 , 3.1.1_b05, 3.1.1_b06 , 3.1.1_b07 , 3.1.1_b08, 3.1.1_b09, 3.1.1_b10, 3.1.1_b11, 3.1.1_b12, 3.1.1, 3.1.2_b01, 3.1.2_b02, 3.1.2_b03, 3.1.2_b04, 3.1.2_b05, 3.1.2_b06, 3.1.2_b07, 3.1.2_b09, 3.1.2_b10, 3.1.2_b11, 3.1.2_b12, 3.1.2_b13, 3.1.2_b14, 3.1.2_b15, 3.1.2_b16, 3.1.2_b17, 3.1.2_b18, 3.1.2_b19, 3.1.2_b20, 3.1.2_b21, 3.1.2_b22, 3.1.2_b23, 3.1.2, 3.1.2.2, 4.0_b01, 4.0_b02, 4.0_b03, 4.0_b04, 4.0_b05, 4.0_b06, 4.0_b08, 4.0_b09, 4.0_b10, 4.0_b11, 4.0_b12, 4.0_b13, 4.0_b14, 4.0_b15, 4.0_b16, 4.0_b17, 4.0_b18, 4.0_b19, 4.0_b20, 4.0_b21, 4.0_b22, 4.0_b23, 4.0_b24, 4.0_b25, 4.0_b26, 4.0_b27, 4.0_b28, 4.0_b29, 4.0_b30, 4.0_b31, 4.0_b32_ms1, 4.0_b33, 4.0_b34, 4.0_b35, 4.0_b36, 4.0_b37, 4.0_b38_ms2, 4.0_b39, 4.0_b40, 4.0_b41, 4.0_b42, 4.0_b43, 4.0_b44_ms3, 4.0_b45, 4.0_b46, 4.0_b47, 4.0_b48, 4.0_b49, 4.0_b50_ms4, 4.0_b51, 4.0_b52, 4.0_b53, 4.0_b54, 4.0_b55, 4.0_b56_ms5, 4.0_b57, 4.0_b58, 4.0_b59, 4.0_b60, 4.0_b61, 4.0_b62_ms6, 4.0_b63, 4.0_b64_EE7MS2, 4.0_b65, 4.0_b66, 4.0_b67_ms7, 4.0_b68_EE7MS3, 4.0_b69, 4.0_b70, 4.0_b71, 4.0_b72_EE7MS4, 4.0_b73, 4.0_b74, 4.0_b75, 4.0_b76_EE7MS5, 4.0_b77, 4.0_b78, 4.0_b79, 4.0_b80_EE7MS6, 4.0_b81, 4.0_b82_EE7MS7, 4.0_b83, 4.0_b84_RC1, 4.0_b85, 4.0_b86_RC2, 4.0_b87_RC3, 4.0_b88_RC4, 4.0_b89_RC5, 4.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      Windows, GF 3.1.2.2

      Description

      In the consturctor of com.sun.enterprise.security.SecurityContext an initiator instance (PrinicpalImpl) is created using the com.sun.enterprise.security.web.integration.PrincipalGroupFactory and the username passed to the consturctor.
      This principal instance is then added to the subject.

      If the Subject allready has a Prinicpal from a LoginModule then the initiator Principal is correctly not added to the Subject as the PrincipalSet ignores the duplicate.

      The method SecurityContext.getCallerPrincipal() returns the initiator and not the Principal contained in the Subject. Therefore the LoginModule is rendered useless.

      It seems that in V4.1-b0.1 this has been fixed only for one of the consturctors SecurityContext(Subject).

        Activity

        Hide
        Nithya Ramakrishnan added a comment -

        Could you pls confirm if you are testing any specific usecase ?

        Show
        Nithya Ramakrishnan added a comment - Could you pls confirm if you are testing any specific usecase ?
        Hide
        Nithya Ramakrishnan added a comment -

        The constructor SecurityContext(Subject) is used only when a SAM is configured to make sure the DistinguishedPrincipalCredentials are propogated from the SAM and are set in the SecurityContext.
        The constructor in question (i.e.) SecurityContext((String userName, Subject subject, String realm) is used in all the other cases when the username is used to identify the subject. There is no further need to extract principals from the subject in this case, as per design

        Show
        Nithya Ramakrishnan added a comment - The constructor SecurityContext(Subject) is used only when a SAM is configured to make sure the DistinguishedPrincipalCredentials are propogated from the SAM and are set in the SecurityContext. The constructor in question (i.e.) SecurityContext((String userName, Subject subject, String realm) is used in all the other cases when the username is used to identify the subject. There is no further need to extract principals from the subject in this case, as per design

          People

          • Assignee:
            Nithya Ramakrishnan
            Reporter:
            frank_w
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: