After the initial login, the JaccAuthorizationRealm always returns false because the PolicyContext handler for the Subject is not yet initialized when the realm is called. To figure out the root of the problem, an understanding of the calling order is necessary.

The standard pipeline is composed of the following valves, in this order:

• JaccContextValve
• FormAuthenticator (the authenticator valve in my case)
• SecurityAssociationValve
• CustomPrincipalValve
• StandardContextValve

The SecurityAssociationValve is added to the pipeline after the authenticator valve due to the ordering of the code in the TomcatDeployer.performDeployInternal method. The SecurityAssociationValve is added after the init call to the server. The init call results in the authenticator valve being added to the pipeline.

When a request is received by an authenticated user, the authenticator valve obtains control before the SecurityAssociationValve. The authenticator valve calls the JaccAuthorizationRealm for the authorization check. Part of the check is as follows:

Subject caller = null;
try
{
caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
}
catch (PolicyContextException e)
{
if( trace )
log.trace("Failed to get subject from PolicyContext", e);
}
if( caller == null ) //*** is always true!
{
if( trace )
log.trace("Denied, no active subject found in PolicyContext");
return false;
}

The realm expects to have an initialized caller (Subject), but the caller is always null because it wasn't initialized yet since the SecurityAssociationValve that initializes the caller (Subject) doesn't receive control until after the authenticator valve is finished.