jQuery in Action, 3rd edition
The moose likes Tomcat and the fly likes -security in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "-security in Tomcat" Watch "-security in Tomcat" New topic

-security in Tomcat

B Stokes

Joined: Aug 04, 2004
Posts: 9
I'm using JAAS on tomcat (through NetBeans) to authenticate and authorise users to a web app. All was going well, once the user was logged in their Subject object was attached to the currently running thread in a servlet filter (with Subject.doAs() ) with the effect that all resources accessed in this way could be managed with a security policy...

..that is until I actually turned the tomcat security manager on with the -security argument. Everything still worked in the same way except a new AccessControllerContext was created somewhere between the output of the servlet filter and the processing of the requested JSP. This meant that any security checks carried out on any executed classes (I'm using Struts) were pointless as, as far as the AccessControllerContext was concerned, the user wasn't logged in.

I've a sneeking suspicion that tomcat is trying to authenticate users to the web app without telling me and attaching a blank Subject object to the context just before it processes the requested resource (JSP or Struts action class). But it's just a guess.

Has anyone got any idea about what's going on?

[edit: I've just output logs of the security access and tomcat definitely creates a new AccessControlContext with java.security.SecurityPermission createAccessControlContext just before it reads the JSPs]
[ August 04, 2004: Message edited by: B Stokes ]
I agree. Here's the link: http://aspose.com/file-tools
subject: -security in Tomcat
It's not a secret anymore!