3 Replies Latest reply on Dec 20, 2006 7:41 AM by sreeraaman

    Is it possible to access request parameters within custom lo

    sreeraaman

      Hi All,

      I am using FORM Authentication for my application. I am Using JBoss 4.0.5 G.A / Seam 1.0.1 G.A.

      It all works fine. Now, I have a new requirement where I need to access request parameters for doing the authentication.

      Currently, inside my loginmodule, from the Callbackhandler, I get only the userName and the Password. Is it possible for me access the request parameters inside by login module ?

      I read a couple of post where they talk about extendedformauthenticator. However, from what I understand, it only stores the username and optionally the userpassword after successful authentication.

      Is there any standard callback handler in JBoss which can give us the request parameters for us to use within the LoginModule for the purpose of authentication.

      Thanks in Advance.

      regards
      sriraman.

        • 2. Re: Is it possible to access request parameters within custo
          sreeraaman

          Thanks scott for those nice links.

          However, my requirement is slightly different and I am newbie to Tomcat. I enabled ExtendedFormAuthenticator to my application as suggested in one of the links.
          http://wiki.jboss.org/wiki/Wiki.jsp?page=ExtendedFormAuthenticator

          After that, I observed the following output in the server logs:

          2006-12-18 13:40:56,593 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[admin(HiringManagers,Recruiters,)]
          2006-12-18 13:40:56,593 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'admin' was successful
          2006-12-18 13:40:56,593 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/SampleWeb/secure/MainMenu.seam?clientIdentifier=Kenexa'
          2006-12-18 13:40:56,593 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] SessionID: AE87BB0614F54B452EE2FDE877015D00
          2006-12-18 13:40:56,593 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] Setting j_username = admin
          2006-12-18 13:40:56,593 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] Setting j_password = --hidden--
          2006-12-18 13:40:56,593 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] Setting j_exception = null
          


          I observed that the ExtendedFormAuthenticator has pushed the j_username, j_password & j_exception into the session which can be used for post login or for error handling.

          However, Our requirement is something like this. Our application should support multiple clients with a single code base.

          Each client will have their own LDAP configuration. While trying to authenticate the user, I need to know the client to which the user belongs to appropriately load the correct configuration and authenticate the user.

          We decided to give the client id as part of the request url via a query string so that somehow we can get them inside the login module.

          While browsing the net, I came across a feature in Jetty which allows me to do something like this.

          http://docs.codehaus.org/display/JETTY/JAAS.

          Jetty has a callback called RequestParameterCallback using which I can get this as shown below:

          public class FooLoginModule extends AbstractLoginModule
          {
           .
           .
           .
          
           public boolean login()
           throws LoginException
           {
           .
           .
           .
           Callback[] callbacks = new Callback[3];
           callbacks[0] = new NameCallback();
           callbacks[1] = new ObjectCallback();
          
           //as an example, look for a param named "extrainfo" in the request
           //use one RequestParameterCallback() instance for each param you want to access
           callbacks[2] = new RequestParameterCallback ();
           ((RequestParameterCallback)callbacks[2]).setParameterName ("extrainfo");
           .
           .
           .
           callbackHandler.handle(callbacks);
           String userName = ((NameCallback)callbacks[0]).getName();
           Object pwd = ((ObjectCallback)callbacks[1]).getObject();
           List paramValues = ((RequestParameterCallback)callbacks[2]).getParameterValues();
          
           //use the userName, pwd and the value(s) of the parameter named "extrainfo" to
           //authenticate the user
           .
           .
           .
           }
          


          Do we have a similar stuff in Tomcat and if so can someone please let me know as to how to do the same.?

          Thanks in advance.

          regards
          sriraman.


          • 3. Re: Is it possible to access request parameters within custo
            sreeraaman

            Hi All,

            I finally figured out as to how to get the current request object inside my login module:

            following is the piece of code which would do that:

            public static final String WEB_REQUEST_KEY = "javax.servlet.http.HttpServletRequest";
            
            HttpServletRequest request = (HttpServletRequest) PolicyContext.getContext(WEB_REQUEST_KEY);
            


            regards
            sriraman.