How to use a Custom Principal in a custom security realm (Glassfish)?

Question

I followed the instructions to create a custom security realm for my glassfish. It all works fine, users are authenticated correctly. The problem however is the following:

• The user credentials are encrypted in a string
• The realm decrypts this string and performs the authentication against a database (works)
• Instead of using the decrypted values as principal in the securityContext the encrypted String is passed.

I already tried to override the commit() method to replace the _userPrincipal or attach my own implementation using getSubject().getPrincipals().add(new PrincipalImpl("user")). Neither was working as expected. Basically the question is a simple as this: How can I set my own principal in a custom security realm in glassfish in a way which makes it possible to use it together with an injected securityContext?

My environment:

• Glassfish 3.1.2.2 (Build 5) Full Profile
• The application running behind the authentication is a JAX-RS 1.1 based application
• The SecurityContext is obtained using injection

Answer 1

I already tried to override the commit() method to replace the _userPrincipal or attach my own implementation using getSubject().getPrincipals().add(new PrincipalImpl("user")). Neither was working as expected.

What kind of error(s) do you get?

Regardless, I think your issue lies on the third step of this process. SecurityContext only defines BASIC_AUTH, FORM_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH as AuthenticationScheme so perhaps SecurityContext cannot see your implementation of your security scheme or type. But you can try these steps and I hope they would work for you.

A- Implement a Java Authentication and Authorization Service (JAAS) LoginModule or extend com.sun.appserv.security.AppservPasswordLoginModule

public class MyLoginModule extends AppservPasswordLoginModule {

@Override
protected void authenticateUser() throws LoginException {
    if (!authenticate(_username, _password)) {
//Login fails
        throw new LoginException("LoginFailed");
    }
    String[] myGroups = getGroupNames(_username);
    commitUserAuthentication(myGroups);
}

private boolean authenticate(String username, String password) {
    /*
     Check the credentials against the authentication source, return true if          authenticated, return false otherwise
     */
    return true;
}

private String[] getGroupNames(String username) {
// Return the list of groups this user belongs to.
}

B- Implementing your realm class.

public class MyRealm extends AppservRealm {

@Override
public void init(Properties props)
throws BadRealmException, NoSuchRealmException {
//here you initialize the realm
}
@Override
public String getAuthType() {
return "Custom Realm";
}
}

C- Installing and configuring the realm and LoginModule into the server.

for this you need to look at JSR 196 and write you own SAM by implmenting javax.security.auth.message.module.ServerAuthModule. Take a look at thelink below. https://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the