Hi
On 21/01/15 12:20, arjan tijms wrote:
> Hi,
>
> On Wed, Jan 21, 2015 at 12:46 PM, Sergey Beryozkin
> <sberyozkin_at_talend.com <mailto:sberyozkin_at_talend.com>> wrote:
>
> I wonder, should the spec have some position about the services
> trying to access an authenticated Subject ? Something along these
> lines: "if the runtime uses JAAS then it has to guarantee
> Subject.getSubject works; the portability of this code might be
> affected if non-JAAS solution is used to authenticate"...
>
>
> In case of a full Java EE server (i.e. unfortunately excluding the web
> profile and especially excluding a bare Servlet container), the
> following has to be supported, even when the actual authentication
> mechanism did not use JAAS:
>
> Subject subject = (Subject)
> PolicyContext.getContext("javax.security.auth.Subject.container");
>
I guess such a property might be optionally set by JAX-RS runtimes and
possibly accessed via a would be mechanism for accessing the request
properties inside the service implementation.
> (see
> http://arjan-tijms.omnifaces.org/2014/03/implementing-container-authorization-in.html)
>
> Also note that JAAS is probably not the universal standard you may think
> it is.
If you re-read my email you will see I actually expressed the concern
about the explicit use of JAAS API, why do you assume I may have such an
opinion ?
> Where it concerns the container proprietary mechanisms (i.e.
> anything that's not JASPIC), it's usually something -based- on JAAS.
> Specifically, the Principals that are stored within a Subject are not
> standardized in any way (see
> http://arjan-tijms.omnifaces.org/2014/02/jaas-in-java-ee-is-not-universal.html)
>
> I'm still thinking using SecurityContext is the best option for most
> services, but Subject.doAs can be a pretty useful mechanism to get a
> security context propagated down to JAAS-aware service dependencies,
> so perhaps there's some scope here to support it...
>
>
> Subject.doAs has a lot of side-effects and caveats. It's not really ideal.
>
> But getting the "whole chain" of security streamlined in Java EE is
> something that the Security API JSR should really take a look at.
Sounds good
> Since
> this is something that's obviously applicable for many (almost all I'd
> say) specs in Java EE, it would probably be best to solve this
> universally (platform wide).
>
Sure. In the end of the day I reckon it might help the interested JAX-RS
users if there was some text adding some clarity and possibly some kind
of API support for accessing Subject if it will be accepted to be
relevant...
Sergey
> Kind regards,
> Arjan Tijms
>
>
>
>
> Sergey
>
>