• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

-security in Tomcat

B Stokes
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm using JAAS on tomcat (through NetBeans) to authenticate and authorise users to a web app. All was going well, once the user was logged in their Subject object was attached to the currently running thread in a servlet filter (with Subject.doAs() ) with the effect that all resources accessed in this way could be managed with a security policy...

..that is until I actually turned the tomcat security manager on with the -security argument. Everything still worked in the same way except a new AccessControllerContext was created somewhere between the output of the servlet filter and the processing of the requested JSP. This meant that any security checks carried out on any executed classes (I'm using Struts) were pointless as, as far as the AccessControllerContext was concerned, the user wasn't logged in.

I've a sneeking suspicion that tomcat is trying to authenticate users to the web app without telling me and attaching a blank Subject object to the context just before it processes the requested resource (JSP or Struts action class). But it's just a guess.

Has anyone got any idea about what's going on?

[edit: I've just output logs of the security access and tomcat definitely creates a new AccessControlContext with java.security.SecurityPermission createAccessControlContext just before it reads the JSPs]
[ August 04, 2004: Message edited by: B Stokes ]
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic