Shibboleth SP with Tomcat. How to use <security-constraints>

Brent Putman putmanb at
Tue Nov 1 19:46:58 GMT 2011

On 11/1/11 7:10 AM, Luis Rodríguez Fernández wrote:

>        httpReq.getSession().setAttribute("",
> subject);

Do you know for a fact that your container implements the Servlet spec
declarative security model in such a manner that inserting a JAAS
subject into the session as a session attribute as you do above results
in those principals being evaluated as roles in the declarative security
model?  I personally wasn't aware that that was how it was typically
done.... I was instead under the impression that you would need to
create an HttpServetRequestWrapper and populate it with data such that
it returns the right results for
HttpServletRequest#isUserInRole(String).  You then forward the wrapper
instead of the original request in the filterChain.doFilter.

Maybe your way works also, I've just never seen that done.

More information about the users mailing list