I have a legacy webapp that currently authenticates users in a servlet. That is, it calls LoginContext.login() from a servlet.
As part of my upgrades, I'd like to add new web pages that use declarative authentication through the web.xml file. And I want the old web pages to continue using the servlet authentication. Eventually, I'll redo the old web pages to use the new authentication.
However, the new pages don't inherit the authentication done from the servlet. They come up as unauthenticated, without a userPrincipal in the request.
With the existing servlet, I end up with a Subject. Is there any way I can call something so that OC4J will set the user principal from the Subject's one principal?
Found it:
// http://docs.oracle.com/html/E13977_01/authoriz.htm#BABHJJCJ
// oc4jclient.jar, oc4j-unsupported-api.jar
oracle.oc4j.security.Security.setSubject(subject, Longevity.SESSION);