Hi
We have some users keen on using JAAS API in their JAX-RS Services:
@GET
@Path("/jaas")
public Response get() {
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
// do something with Subject
}
The above works assuming the container/runtime has used JAAS to
authenticate a user and continued the execution with Subject.doAs().
My response was:
- JAX-RS SecurityContext has to be used and it the the job of the
runtime, if JAAS is used, to ensure a user principal is extracted from
Subject into JAX-RS SecurityContext.
- JAAS is only one of possible ways to authenticate hence the above code
is not guaranteed to be portable.
I wonder, should the spec have some position about the services trying
to access an authenticated Subject ? Something along these lines: "if
the runtime uses JAAS then it has to guarantee Subject.getSubject works;
the portability of this code might be affected if non-JAAS solution is
used to authenticate"...
I'm still thinking using SecurityContext is the best option for most
services, but Subject.doAs can be a pretty useful mechanism to get a
security context propagated down to JAAS-aware service dependencies, so
perhaps there's some scope here to support it...
Sergey