Subject is not available during the first call to the servlet which use the basic authentication

Mon, 09 Aug 2004 06:46:58 -0700 

Hi,

I’m using jakarta-tomcat-5.0.27-src and Windows XP.

I made a servlet that print current subject principals (authenticated user).
The servlet code is:

<code>
private void doQuery(
HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {

response.setContentType("text/html");
PrintWriter out = response.getWriter();

out.println("<HTML>");
out.println("<HEAD>");
out.println("<TITLE>TestServletProtected</TITLE>");

out.println("<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">");
out.println("<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">");

out.println("</HEAD>");

out.println("<BODY>");

out.println("<br>");
out.println(request.getAuthType());
out.println("</br>");
out.println("<br>");
out.println(request.getRemoteUser());
out.println("</br>");
out.println("<br>");
out.println(request.getUserPrincipal());
out.println("</br>");
out.println("<br>");
out.println(request.isUserInRole("tomcat"));
out.println("</br>");
out.println("<br>");
out.println(request.isUserInRole("admin"));
out.println("</br>");

Subject subject = Subject.getSubject(AccessController.getContext());
out.println("<br>");
out.println(subject);
out.println("</br>");

subject =
(Subject) request.getSession(true).getAttribute(
"javax.security.auth.subject");

out.println("<br>");
out.println(subject);
out.println("</br>");
out.println("</BODY>");

out.println("</BODY>");
out.println("</HTML>");

out.close();
    }
</code>

The first time I call this servlet I get:
BASIC 
tomcat 
GenericPrincipal[tomcat(admin,manager,tomcat,)] 
true 
true 
null 
null

The next time I get:
BASIC 
tomcat 
GenericPrincipal[tomcat(admin,manager,tomcat,)] 
true 
true 
Subject: Principal: GenericPrincipal[tomcat(admin,manager,tomcat,)] 
Subject: Principal: GenericPrincipal[tomcat(admin,manager,tomcat,)]

I found that SecurityUtil.execute trying to find the subject in the current session, 
but because the session is not been created yet, the subject passed to the function 
Subject.doAsPrivileged is null.

When I changed the code in the function SecurityUtil.execute to:

// The first argument is always the request object
if (targetArguments != null 
&& targetArguments[0] instanceof HttpServletRequest){
HttpServletRequest request = 
(HttpServletRequest)targetArguments[0];

HttpSession session = request.getSession(false);
if (session != null){
subject =        (Subject)session.getAttribute(Globals.SUBJECT_ATTR);
}
                
if ((subject == null) && (principal != null)){
subject = new Subject();
subject.getPrincipals().add(principal);
                        
if(session != null) {
session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
}
}

Everything looks OK except that the subject is not in the session 
(request.getSession(true).getAttribute(
"javax.security.auth.subject"); return null).



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to