[jax-rs-spec users] Re: JAAS API in JAX-RS services

From: Sergey Beryozkin <>
Date: Wed, 21 Jan 2015 13:02:19 +0000

On 21/01/15 12:20, arjan tijms wrote:
> Hi,
> On Wed, Jan 21, 2015 at 12:46 PM, Sergey Beryozkin
> < <>> wrote:
> I wonder, should the spec have some position about the services
> trying to access an authenticated Subject ? Something along these
> lines: "if the runtime uses JAAS then it has to guarantee
> Subject.getSubject works; the portability of this code might be
> affected if non-JAAS solution is used to authenticate"...
> In case of a full Java EE server (i.e. unfortunately excluding the web
> profile and especially excluding a bare Servlet container), the
> following has to be supported, even when the actual authentication
> mechanism did not use JAAS:
> Subject subject = (Subject)
> PolicyContext.getContext("");

I guess such a property might be optionally set by JAX-RS runtimes and
possibly accessed via a would be mechanism for accessing the request
properties inside the service implementation.

> (see
> Also note that JAAS is probably not the universal standard you may think
> it is.

If you re-read my email you will see I actually expressed the concern
about the explicit use of JAAS API, why do you assume I may have such an
opinion ?

> Where it concerns the container proprietary mechanisms (i.e.
> anything that's not JASPIC), it's usually something -based- on JAAS.
> Specifically, the Principals that are stored within a Subject are not
> standardized in any way (see
> I'm still thinking using SecurityContext is the best option for most
> services, but Subject.doAs can be a pretty useful mechanism to get a
> security context propagated down to JAAS-aware service dependencies,
> so perhaps there's some scope here to support it...
> Subject.doAs has a lot of side-effects and caveats. It's not really ideal.
> But getting the "whole chain" of security streamlined in Java EE is
> something that the Security API JSR should really take a look at.
Sounds good
> Since
> this is something that's obviously applicable for many (almost all I'd
> say) specs in Java EE, it would probably be best to solve this
> universally (platform wide).
Sure. In the end of the day I reckon it might help the interested JAX-RS
users if there was some text adding some clarity and possibly some kind
of API support for accessing Subject if it will be accepted to be

> Kind regards,
> Arjan Tijms
> Sergey