[jax-rs-spec users] JAAS API in JAX-RS services

From: Sergey Beryozkin <>
Date: Wed, 21 Jan 2015 11:46:40 +0000


We have some users keen on using JAAS API in their JAX-RS Services:

public Response get() {

        AccessControlContext acc = AccessController.getContext();
        Subject subject = Subject.getSubject(acc);
        // do something with Subject


The above works assuming the container/runtime has used JAAS to
authenticate a user and continued the execution with Subject.doAs().

My response was:
- JAX-RS SecurityContext has to be used and it the the job of the
runtime, if JAAS is used, to ensure a user principal is extracted from
Subject into JAX-RS SecurityContext.
- JAAS is only one of possible ways to authenticate hence the above code
is not guaranteed to be portable.

I wonder, should the spec have some position about the services trying
to access an authenticated Subject ? Something along these lines: "if
the runtime uses JAAS then it has to guarantee Subject.getSubject works;
the portability of this code might be affected if non-JAAS solution is
used to authenticate"...

I'm still thinking using SecurityContext is the best option for most
services, but Subject.doAs can be a pretty useful mechanism to get a
security context propagated down to JAAS-aware service dependencies, so
perhaps there's some scope here to support it...