Description:

I am trying to let my application retrieve groups from users when application is protected by ASA WebSphere Agent, but I cannot. It seems there is no data.

Solution:

The ASA WebSphere Agent adds a second Principal to the Subject:

"SiteMinder Java Authorization Contract for Containers (JACC) Provider Provides SiteMinder policy-based authorization decisions for requests for Web or EJB resources using credentials in an associated SiteMinder Principal placed in the subject by the SiteMinder TAI or SiteMinder Login Module."

[...]

"If SiteMinder authentication is successful, the SiteMinder TAI populates a JAAS Subject with a SiteMinder Principal that contains the username of the authenticated user and associated SiteMinder session data. Additionally, the SiteMinder TAI propagates the identity of the authenticated user to WebSphere, which then creates its own principal and adds it to the Subject for use by other, non-SiteMinder security modules.

Note: If the SiteMinder TAI is configured to support environments in which the Policy Server and WebSphere have separate user stores, the SiteMinder TAI propagates to WebSphere a mapped user identity that matches an entry in the WebSphere user store."

(Configuration Guide r6.0 CA SiteMinder Agent for IBM WebSphere CR9)

So, if you want to retrieve the Principal added by SiteMinder, you should have in your code to get the Subject and list both Principals.

Reading each of them, then you will find the information that you need.