i knew that and it works, but I need to retrieve subject to get also roleprincipal

不幸的是,它在Java EE中的工作方式不同. JAAS主題只是一個“主要包”,其中哪些代表用戶/調用者主體和/或角色主體根本不是標準化的.每個其他容器在這里做不同的事情. Javadoc for Tomcat’s JAASRealm描述了這一點并解釋了Tomcat特定約定(強調我的)：

The JAAS Specification describes the result of a successful login as a

javax.security.auth.Subject instance, which can contain zero or more

java.security.Principal objects in the return value of the

Subject.getPrincipals() method. However, it provides no guidance on

how to distinguish Principals that describe the individual user (and

are thus appropriate to return as the value of

request.getUserPrincipal() in a web application) from the Principal(s)

that describe the authorized roles for this user. To maintain as much

independence as possible from the underlying LoginMethod

implementation executed by JAAS, the following policy is implemented

by this Realm: […]

除此之外,從Java EE環境中,您甚至很少能夠訪問JAAS主題,甚至通常不會通過供應商特定的方法. JAAS遠不是您認為的通用標準,特別是當它涉及Java EE時.

您可以以可移植方式訪問的唯一內容是調用者主體和與之關聯的角色,但即使這些內容也不一定是您的JAAS登錄模塊構造的確切調用者主體.

例如,JBoss AS使用自己的類復制此主體幾次.因此,如果您的JAAS模塊將kaz.zak.FooPrincipal存儲到用戶/調用者主體的Subject中,則HttpServletRequest#getUserPrincipal()可能會返回org.jboss.security.SimplePrincipal.唯一保證的是該實例上的getName()將返回相同的字符串.

有關此主題的更多背景知識：

最后一個來源基本上用不同的措辭說同樣的事情;

Although it is possible to use JAAS within Tomcat as an authentication

mechanism (JAASRealm), the flexibility of the JAAS framework is lost

once the user is authenticated. This is because the principals are

used to denote the concepts of “user” and “role”, and are no longer

available in the security context in which the webapp is executed. The

result of the authentication is available only through

request.getRemoteUser() and request.isUserInRole().

This reduces the JAAS framework for authorization purposes to a simple user/role system that loses its connection with the Java Security Policy.