Hi,

I'm running tomcat 5 with -security option and I'm using JAAS login module.
In the jsp pages in first request after I have identified my self Subject is null.
When I hit refresh (second request) Subject is correct subject with principals etc.
But after that in all requests Subject is empty, no principals etc.

I use follwing code to get Subject:
AccessControlContext acc = AccessController.getContext();
Subject sub = Subject.getSubject(acc);

I checked tomcat src code that it uses javax.security.auth.subject attribute to store Subject in session.
CoyoteRequest.java

  public void setUserPrincipal(Principal principal) {

    if (System.getSecurityManager() != null){
       HttpSession session = getSession(false);
       if ( (subject != null) &&
          (!subject.getPrincipals().contains(principal)) ){
          subject.getPrincipals().add(principal);      
       } else if (session != null &&
               session.getAttribute(Globals.SUBJECT_ATTR) == null) {
          subject = new Subject();
          subject.getPrincipals().add(principal);      
       }
       if (session != null){
          session.setAttribute(Globals.SUBJECT_ATTR, subject);
       }
    }

    this.userPrincipal = principal;
  }

I guess that session.getAttribute(Globals.SUBJECT_ATTR) is somehow null after second request..
Any ideas what is causing this and how can I fix it?



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)