Thursday, August 14, 2008

JAAS authentication integration with Containers

Often developers write custom jaas login modules. Upon successful authentication the loginContext.getSubject API returns an authenticated subject. LoginModule doesn't automatically make the JavaEE container aware of this subject. So if you need to invoke isUserInRole or IsCallerInRole API and have it evaluate based on the subject created by the loginContext you will need to assert the subject into the container which basically means having the subject associated with the current thread serving the request. Once you do that your programmatic login is integrated with the container. On oc4j the api to do this is Security.setSubject and on WLS the equivalent is Security.RunAs which takes in a subject and a privileged action.