Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

JAAS Authorisation Problem - Exception raised when attempting Subject.doAsPriviledged

1 view
Skip to first unread message

Martin McCloud

unread,
Feb 27, 2002, 10:16:03 AM2/27/02
to

We are trying to use JAAS for authentication and authorisation with Weblogic 6.1.

For out prototype system we created a set of class files; the action we wanted
to protect, the permission for that action, a principal to grant the permission
to a user, the Login module to authenticate our user and the Callback handler.
We also wrote a servlet to take a user's username and passsword from a webpage
form, use these to authenticate the user and then execute the protected action
with the authenticated user's subject. The significant code for this servlet is
shown below:

public class MyServlet extends HttpServlet {

public MyServlet() {
}

protected void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
printTop(out);
printMiddle(request, out);
printBottom(out);
out.close();
}

private static int printMiddle(HttpServletRequest req,
PrintWriter out) {
String form_usr = (String) req.getParameter("username");
String form_pwd = (String) req.getParameter("password");

LoginContext lc = null;
// Set our configuration policy file and create
// LoginContext with username and password from
// form pass into Callbackhandler
try {
Properties property = new Properties(System.getProperties());
property.put("weblogic.security.jaas.Policy",
"login_jaas.policy");
System.setProperties(property);

lc = new LoginContext("Prototype",
new MyCallbackHandler(form_user, form_password));
}
catch (Exception e) { return (-1);}

// Attempt authentication. If no exception raised then
// authentication succeeded
try {
lc.login();
}
catch (Exception e) { return(-1);}

// Authentication succeeded! Now try to execute the
// SecretWordAction as the authenticated Subject.

Subject mySubject = lc.getSubject();
PrivilegedAction action = new SecretWordAction();
String secret = "";
try {
secret = (String)Subject.doAsPrivileged(mySubject,
action,
null);
}
catch (Exception e) { return (-1);}

return (0);
}
}

For authentication, we implemented our own LoginModule and, taking the SampleClient.java
example code as reference, programatically specified our login configuration file
in the weblogic.security.jaas.Policy property. So when our LoginContext is created
and LoginContext.login() is called, our LoginModule authenticates the user. Testing
the Subject for our LoginContext before and after the call to LoginContext.login()
showed that the authentication process had given our Subject the set of Principals
we required.
So far so good, onto Authorisation.

To run the protected method we obtained the authenticated subject from the LoginContext
with:
Subject mySubject = lc.getSubject();

and created an instance of the method we wanted to execute
PrivilegedAction action = new SecretWordAction();

to call the protected method we used:
Subject.doAsPrivileged(mySubject, action, null);

and we were given the following error:

java.lang.NullPointerException: AccessControlContext
at javax.security.auth.Subject.doAsPrivileged(Subject.java:140)
at MyServlet.printMiddle(MyServlet.java:193)


Can anyone suggest why this Exception is reaised and suggest a solution to our
authorisation problem?
Thanks in advance,
Martin Mc


Utpal

unread,
Feb 27, 2002, 1:58:50 PM2/27/02
to

>>
> to call the protected method we used:
> Subject.doAsPrivileged(mySubject, action, null);
> and we were given the following error:
>
> java.lang.NullPointerException: AccessControlContext
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:140)
> at MyServlet.printMiddle(MyServlet.java:193)

According to javax API,
This method behaves exactly as Subject.doAs, except that instead of
retrieving the current Thread's AccessControlContext, it uses the provided
AccessControlContext. If the provided AccessControlContext is null, this
method instantiates a new AccessControlContext with an empty collection of
ProtectionDomains.

It should allow you to pass "null".
I know it sounds stupid but :-) Could you please try,
AccessControlContext acc = null;
Subject.doAsPrivileged(mySubject, action, acc);
-utpal

Martin McCloud

unread,
Feb 28, 2002, 5:36:39 AM2/28/02
to

Thanks for the suggestion Utpal. We tried it but still got the
same NullPointerException error as before. We also tried
creating our own AccessControlContext object and passing that
into the doAsPrivileged() call:
AccessControlContext acc = AccessController.getContext();
Subject.doAsPrivileged(mySubject, action, acc);

This too didn't work, raised a different exception:

java.lang.SecurityException: Method Not Supported
at javax.security.auth.Subject.doAsPrivileged(Subject.java:142)
at MyServlet.printMiddle(MyServlet.java:262)

which we assume has something to do with Weblogic's version of
the JAAS classes being incompatable with Sun's JAAS 1.0
implementation.
Would this be a resonable assumption? Is there any way we could work around this
and get JAAS authorisation to work properly?

Martin

David Gaertner

unread,
Mar 7, 2002, 3:19:25 AM3/7/02
to
Hi,

WL has a own implementation of the Subjects-class and this class not support the
functionality of the doAsPriviled method.

if(subject == null)
throw new NullPointerException("Subject");
if(privilegedaction == null)
throw new NullPointerException("PrivilegedAction");
if(accesscontrolcontext == null)
throw new NullPointerException("AccessControlContext");
else
throw new SecurityException("Method Not Supported");

In the mauals stands somwhere that the authorization with JAAS is not suported.
The only Solution is to try this with the standart implementation.

David

0 new messages