Added new session property to hold the Java subject and removed the S…

…ecurityJavaSubjectFilter as it was no longer doing anything (#6584)

platform/platform-paxweb-jettyconfig/src/main/resources/OSGI-INF/blueprint/blueprint.xml

@@ -28,12 +28,6 @@
     </bean>
     <service ref="responseFilter" interface="org.codice.ddf.platform.filter.http.HttpFilter"/>
 
-    <!-- Rank set to Integer.MAX_VALUE so that SecurityJavaSubjectFilter will run first. This gives
-         any global http filters access to the Subject -->
-    <service id="securityJavaSubjectFilter" interface="org.codice.ddf.platform.filter.http.HttpFilter" ranking="2147483647">
-        <bean class="org.codice.ddf.pax.web.jetty.SecurityJavaSubjectFilter"/>
-    </service>
-
     <!-- Rank set to Integer.MIN_VALUE so that DoPrivilegedFilter will run last. This prevents
          security policy permission requirements from leaking up to the global http filters -->
     <service id="doPrivilegedFilter" interface="org.codice.ddf.platform.filter.http.HttpFilter" ranking="-2147483648">

platform/security/filter/security-filter-login/src/main/java/org/codice/ddf/security/filter/login/LoginFilter.java

@@ -69,6 +69,9 @@ protected DocumentBuilder initialValue() {
 
   private static final XMLUtils XML_UTILS = XMLUtils.getInstance();
 
+  // Applications, such as Hawtio, are specifically looking for this property. Do not change it.
+  private static final String JAVA_SUBJECT = "subject";
+
   private SecurityManager securityManager;
 
   private SessionFactory sessionFactory;
@@ -174,6 +177,9 @@ public void doFilter(
                     emptySet,
                     emptySet);
             httpRequest.setAttribute(SecurityConstants.SECURITY_JAVA_SUBJECT, javaSubject);
+            if (contextPolicyManager.getSessionAccess()) {
+              addToSession(httpRequest, javaSubject);
+            }
             javax.security.auth.Subject.doAs(javaSubject, action);
           } else {
             LOGGER.debug("Subject had no security assertion.");
@@ -190,11 +196,8 @@ public void doFilter(
    * @param subject Subject to attach to request
    */
   private void addToSession(HttpServletRequest httpRequest, Subject subject) {
-    if (sessionFactory == null) {
-      throw new SessionException("Unable to store user's session.");
-    }
+    HttpSession session = getSession(httpRequest);
     PrincipalCollection principals = subject.getPrincipals();
-    HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
     PrincipalHolder principalHolder =
         (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
     PrincipalCollection oldPrincipals = principalHolder.getPrincipals();
@@ -203,6 +206,18 @@ private void addToSession(HttpServletRequest httpRequest, Subject subject) {
     }
   }
 
+  private void addToSession(HttpServletRequest httpRequest, javax.security.auth.Subject subject) {
+    HttpSession session = getSession(httpRequest);
+    session.setAttribute(JAVA_SUBJECT, subject);
+  }
+
+  private HttpSession getSession(HttpServletRequest httpRequest) throws SessionException {
+    if (sessionFactory == null) {
+      throw new SessionException("Unable to store user's session.");
+    }
+    return sessionFactory.getOrCreateSession(httpRequest);
+  }
+
   public void setSecurityManager(SecurityManager securityManager) {
     this.securityManager = securityManager;
   }