[GLASSFISH-8544] princpals always wrapped in "WebPrincipal" Created: 17/Jun/09  Updated: 09/Jul/12

Status: Open
Project: glassfish
Component/s: security
Affects Version/s: v2.1
Fix Version/s: not determined

Type: Improvement Priority: Major
Reporter: svnfightsvn Assignee: monzillo
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


Issuezilla Id: 8,544

 Description   

I have a custom realm and login module in which I add a custom principal to the
person's subject. The custom principal class extends
com.sun.enterprise.deployment.PrincipalImpl and adds some other member variables
to the principal. The idea is that I want to retrieve this principal from the
HttpServletRequest after authentication and cast it to my appropriate subclass.
Since the name of the principal is the same as what gets entered in a login
form and since the class extends PrincipalImpl class, it is the default
principal that gets used upon login.
However, it seems that I ALWAYS end up with a "com.web.security.WebPrincipal"
implementation when I call httpServletRequest.getUserPrincipal(); It seems that
Glassfish is wrapping any authenticated principal in this WebPrincipal class
with no way to retrieve the custom principal.
I have found code in com.web.security.WebProgrammaticLogin and
com.sun.web.security.RealmAdapter class (possibly others) that creates this
WebPrincipal after the login in performed.

A quick snippet of code:
--------------------------
LoginContextDriver.login(user, password, realm);
SecurityContext secCtx = SecurityContext.getCurrent();
WebPrincipal principal = new WebPrincipal(user, password, secCtx);
httpServletRequest.setUserPrincipal(principal);
--------------------------

I don't know, but is WebPrincipal necessary? If the authentication succeeds,
the SecurityContext will already have a principal in it (my custom ones, the
"initiator"). Instead of creating a new "WebPrincipal" object, can't we just
stick the principal from the SecurityContext into the request?



 Comments   
Comment by jluehe [ 18/Jun/09 ]

-> security

Comment by monzillo [ 19/Jun/09 ]

The WebPrincipal contains what amounts to a Subject, so that "other" principals
(e.g. group principals) and credentials resulting from the authentication, can
be remembered in the authentication session, and recovered (without repeating
the authentication process) when a subsequent request is made on the session.
The implementation is historical, and the focus was on defining a representation
for use by the container. I think it's utility (to non-containr code) could be
improved, wrt to custom principals.

that said, all EE containers are required to support an api that can be used to
obtain a subject containing all the principals, corresponding to the request,
including your custom principal.

Subject s = (Subject)
javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container");

this policycontext handler may be called from your application code, at which
time it will return a subject containing the principals corresponding to the
run-as identity of the component from which it was called. This handler was
provided for use by the container policy subsystem, and when called from the
policy system and prior to dispatch into the component, it returns a subject
containing the principals of the caller. when the component is configured to
run-as its caller, the distinction is moot.

You can see more details in the jacc spec (I believe null is returned when
authentication has not occurred).

let us know if the PolicyContext api satisfies your immediate need.

I also think we should add a getCustomPrincipal method to WebPrincipal.

Comment by kumara [ 01/Sep/09 ]

Changing version from 9.1.1 to v2.1 to reflect new name/version.

Comment by Tom Mueller [ 06/Mar/12 ]

Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

Comment by cpiggott [ 09/Jul/12 ]

I have this exact same issue. I need to attach extra information to a Principal, so I made a custom AppservPasswordLoginModule that overwrites commit() and attaches my own CustomPrincipal to the Subject. When it gets to my (JAX-RS) webapp it's a WebPrincipal with no way to get to the customPrincipal inside.





Generated at Thu Sep 03 09:53:08 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.