Web Authentication (Programmatic Web Login)
Author : Anil Saldhana
JIRA Issue: http://jira.jboss.com/jira/browse/JBAS-4077
Availability: JBoss 4.2.0.GA onwards
Original Discussion: http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012174
Description
Users sometime want to authenticate against the web container from their web components, eg: servlets. The new class called as "org.jboss.web.tomcat.security.login.WebAuthentication" can be used for this purpose.
API Description
public boolean login(X509Certificate{FOOTNOTE DEF } certs) | Can be used for CLIENT-CERT scenario |
public boolean login(String username, Object credential) | Can be used either for DIGEST, FORM or BASIC scenarios |
public void logout() | Log the user out - disassociates the principal from the request as well as session |
Usage
//Get the user name and password based on some attributes from your FORM post
String username = request.getParameter("username"); //username can be any attribute
String pass = request.getParameter("pass"); //pass can be any attribute
if(username == null || pass == null)
throw new RuntimeException("username or password is null");
WebAuthentication pwl = new WebAuthentication();
pwl.login(username, pass);
//Only when there is web login, does the principal be visible
log("User Principal="+request.getUserPrincipal());
//Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
log("isUserInRole(Authorized User)="+request.isUserInRole("AuthorizedUser"));
if(request.getUserPrincipal() == null || !request.isUserInRole("AuthorizedUser"))
throw new ServletException("User is not authenticated or the isUserInRole check failed");
//Log the user out
pwl.logout();
if(request.getUserPrincipal() != null || request.isUserInRole("AuthorizedUser"))
throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");
Programmatic Single Sign On
Starting with JBoss 4.2.3 an SSO token can be automatically generated when a client is authenticated by the
WebAuthentication
class. This means that applications that do programmatic authentication are now capable of associating an SSO token to the client's session, allowing its clients to interact with other SSO-enabled applications without the need to re-authenticate. This capability is enabled by the configuration of an SSO valve, as follows:
JBoss 4.2.3 onwards: edit the deploy/jboss-web.deployer/server.xml file and include the
ExtendedSingleSignOn
valve:
<Valve className="org.jboss.web.tomcat.security.ExtendedSingleSignOn" debug="0"></Valve>
Note: make sure the standard
org.apache.catalina.authenticator.SingleSignOn
valve is not active, as the
ExtendedSingleSignOn
valve extends this valve, and thus provides all SSO functionality needed.
JBoss 5.0.0.Beta3 onwards: edit the deployers/jbossweb.deployer/server.xml file and just uncomment the standard
SingleSignOn
valve:
<!-- Uncomment to enable single sign-on across web apps deployed to this host. <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"></Valve> -->
No special valve is needed on JBoss 5.X because some changes were made that allowed the
WebAuthentication
to delegate SSO behavior directly to the standard
SingleSignOn
valve.
Needless to say, when a client performs a programmatic logout the SSO token is disassociated from the client's session, just like a regular SSO logout.
Referenced by:
Comments