Bug 46011

Summary: Cannot access to Principal via Subject.getSubject(AccessController.getContext())
Product: Tomcat 6 Reporter: tsveg1 <tsveg1>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major CC: digolo
Priority: P2    
Version: 6.0.18   
Target Milestone: default   
Hardware: PC   
OS: All   
Attachments: a patch for the problem

Description tsveg1 2008-10-15 02:56:56 UTC
Cannot access to Principal via Subject.getSubject(AccessController.getContext()).

Problem is that in method internalDoFilter of ApplicationFilterChain in call of filter chain the code determinate the Principal but don't use it:

                if( Globals.IS_SECURITY_ENABLED ) {
                    final ServletRequest req = request;
                    final ServletResponse res = response;
                    Principal principal = 
                        ((HttpServletRequest) req).getUserPrincipal();

                    Object[] args = new Object[]{req, res, this};
                    SecurityUtil.doAsPrivilege
                        ("doFilter", filter, classType, args);
                    
                    args = null;
                } else {  

In this manner a SecurityUtil.doAsPrivilege will be called with Principal == null
and method execute create a Subject with no Principals.
Then call a Subject.doAsPrivileged(subject, pea, null);  and this do not propagate Principals. I obtain a Subject without Principals calling Subject.getSubject(AccessController.getContext()).

In attachment we send our solution
Comment 1 tsveg1 2008-10-15 02:57:50 UTC
Created attachment 22731 [details]
a patch for the problem
Comment 2 Mark Thomas 2008-11-05 08:19:58 UTC
many thanks for the patch. This has been committed to trunk and proposed for 6.0.19
Comment 3 Mark Thomas 2008-11-30 15:25:36 UTC
This has been applied to 6.0.x and will be in 6.0.19 onwards. Thanks again for the patch.