JAAS authentication on Tomcat with SecurityFilter

2
votes

Please, I need you help. I have an application running on Tomcat and a JAAS module. Before JAAS, I use a filter, in order to get some parameters from httprequest. In this filter, I create LoginContext with my jaas login and call the login()method. All goes fine, the commit returns true and all is good.

I get subject from session: 

session.setAttribute("javax.security.auth.subject", subject);

in this subject I put the principal that is created. The problem is that after login, everything is like this login was never called. Then user is not authenticated and I become a blank page. What is wrong?

I guess that Tomcat doesn't accept theLoginContext I created or something like that, but what can I do to fix that? Thanks in advance!

1
javatomcatjaas

1 Answers

2
votes

Look at http://www.coderanch.com/t/466744/Servlets/java/Set-user-principal-filter. You can see in the thread that: getUserPrincipal() and isUserInRole() for a request are not normally populated unless you go through the facility provided by the container.

In your case, you should create a RequestWrapper as in the link and set the user in the RequestWrapper.