-
1. Re: Example of a servlet based loging via JAAS
The answer you will get is that you don't do it though code. You it through your web.xml with entries like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Employee Protected Web</web-resource-name>
The following are protected services only accessable by employees
<url-pattern>/Business/*</url-pattern>
<url-pattern>/Employee/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyApp Realm</realm-name>
<form-login-config>
<form-login-page>/Login/Login.jsp</form-login-page>
<form-error-page>/Error/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>employee</role-name>
</security-role>
This ensures that for every web service within that URL context will have to go to Login.jsp to get authenticated.
The documentation on this JBoss site is exceptional for more info.
Danno -
2. Re: Example of a servlet based loging via JAAS
Thanks Danno,
I looked through the old archives but I am still missing something. What should the userid and password fields of the login.jsp be named. What action should the for do (GET, POST, to where)?
Thanks,
Jack
> The answer you will get is that you don't do it
> though code. You it through your web.xml with
> entries like this:
>
> <security-constraint>
>
>
>
> <web-resource-collection>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <web-resource-name>Employee
> eb-resource-name>Employee Protected
> Web</web-resource-name>
>
>
>
>
>
>
>
>
> The
> The following are
> n>The following are protected services only
> accessable by employees
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <url-pattern>/Business/*</url-pattern>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <url-pattern>/Employee/*</url-pattern>
>
>
>
>
> </web-resource-collection>
> <auth-constraint>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <role-name>employee</role-name>
> </auth-constraint>
> <user-data-constraint>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <transport-guarantee>NONE</transport-guarantee>
>
> </user-data-constraint>
> </security-constraint>
> <login-config>
>
>
>
>
>
>
>
>
>
> <auth-method>FORM</auth-method>
> <realm-name>MyApp
> <realm-name>MyApp Realm</realm-name>
> <form-login-config>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <form-login-page>/Login/Login.jsp</form-login-page>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <form-error-page>/Error/LoginError.jsp</form-error-pa
> e>
> </form-login-config>
> </login-config>
>
> <security-role>
>
>
>
>
>
>
>
>
>
> <role-name>employee</role-name>
> </security-role>
>
> This ensures that for every web service within that
> URL context will have to go to Login.jsp to get
> authenticated.
>
> The documentation on this JBoss site is exceptional
> for more info.
> Danno -
3. Re: Example of a servlet based loging via JAAS
The username field must be named "j_username" the password "j_password" and the action for the form must be "j_securitycheck" so the form could look like
<form action="j_securitycheck" method="POST"> <input type="text" name="j_username"><br> <input type="password" name="j_password"><br> <input type="submit"> </form>
For more info see servlet 2.2 specification at http://java.sun.com/products/servlet/download.html -
4. Re: Example of a servlet based loging via JAAS
Thanks,
One more question. How do you logout in this scenario? How would you retrieve the login context, or is there another way.
- Jack -
5. Re: Example of a servlet based loging via JAAS
The easiest way to do this is to invalidate the session.
use the following in your servlet (for jsp's there is just a session variable)
request.getSession().invalidate();
Paul -
6. Re: Example of a servlet based loging via JAAS
I think it has to be j_security_check (mind the underscore!) for the form-action. (at least thats what i've used all the time and it worked)
-
7. Re: Example of a servlet based loging via JAAS
what if you have more than a simple user name and password? Like a SSN, username, and password? As far as I can tell, the Jaas implementation is not flexible in this regard...if i can not invoke the login external to the server's invocation from the deployment descriptor, then how could it ever handle a more complex login such as mine? This is a serious design limitation.
I should be able to invoke the login method from a servlet. -
8. Re: Example of a servlet based loging via JAAS
Does anyone have an answer to the above (how to invoke your own login process for the web layer?)
Regards,
Sean -
9. Re: Example of a servlet based loging via JAAS
Well, I've done some digging in the current code and it looks like you can't (without modifying Jetty) - though maybe when they have AOP working in Jetty you might.
What needs to happen is the ability to register your own Authenticators (org.mortbay.http.SecurityConstraint.Auththenticator). And then in org.mortbay.jetty.servlet.WebApplicationContext any registered custom Authenticators to be set for subsequent use.
This would then be against the J2EE specs of course.
Regards,
Sean