10 Replies Latest reply on Feb 20, 2002 3:16 AM by mike3

    FORM BASED AUTHENTICATION NAD JAAS

    zzzz

      Hi all,
      I want to use form based authentication and JAAS and JBoss and I have a few questions:
      1. In my servlet I have

      <form method="POST" action="j_security_check" >
      <input type="text" name="j_username" size="30"/>
      <input type="password" name="j_password" >

      I have written one class which makes the authentication using LoginContext, CallbackHandler etc, i.e with JAAS.

      Now I don't know how to make the connection between the servlet and the class which performs the authentication with JAAS. On the action of the form I have "j_security_check" and I don't know how to call my class. When I click Submit it goes to
      http://localhost:8080/MyApp/j_security_check and I have "Page not found" error.
      In the web.xml I have a <security-domain> and <login-config>.

      One more question
      May I perform the authentication from a strut not from the servlet with action="j_security_check", name="j_username", type="password" name="j_password"?

      Thanks in advance. Your help is appreciated!

        • 1. Re: FORM BASED AUTHENTICATION NAD JAAS
          zzzz

          I don't need to secure the servlets or JSPs. I just want the security credentials to be passed to the EJBs and I want to have security on the EJBs, so I don't have a
          <security-constraint> in my web.xml. Does it make a difference?

          • 2. Re: FORM BASED AUTHENTICATION NAD JAAS

            Hi,

            If you don't have any security constraints in your web applictation, then you won't be asked to authenticate, so it does matter if you want to use standard J2EE web security.

            j_security_check is a special URL implemented be the container - the whole point of it is to hide the login process from you - you shouldn't be doing anything to implement this.

            Luke.

            • 3. Re: FORM BASED AUTHENTICATION NAD JAAS
              zzzz

              Hi,
              Thank you very much!
              Well, at first I thought my login form has to be the first page, you login and you are in. But now I understood that this login page needs to be displayed when
              you try to access a secured URL. That's clear now! :)
              Now, what I don't understand is how to "call" my authentication class. MYAuthentication class looks like
              .....
              LoginContext loginContext = null;
              char[] pass;
              try {

              if ((password != null) && (userName != null))
              {
              pass = password.toCharArray();
              AppCallbackHandler callbackHandler = new AppCallbackHandler(userName, pass);
              loginContext = new LoginContext( "digDomain", callbackHandler );
              }
              } catch ( LoginException le )
              {
              System.err.println( "Cannot create LoginContext. "
              + le.getMessage() );
              System.exit( -1 );
              }
              catch ( SecurityException se )
              {
              System.err.println( "Cannot create LoginContext. "
              + se.getMessage() );
              System.exit( -1 );
              }
              .....

              In my login page I'm going to have action="j_security_check" and how can I call on the same time and the MyAuthentication.class


              Thank you very much Luke, I appreciate your help!

              • 4. Re: FORM BASED AUTHENTICATION NAD JAAS
                zzzz

                Hi again,
                To be more specific, I don't know how to get the j_username and j_password in order to pass them to the CallbackHandler.

                Thanks! :)

                • 5. Re: FORM BASED AUTHENTICATION NAD JAAS

                  > I don't know how to get the j_username and j_password in order to pass them to the CallbackHandler.


                  Hi,

                  You can't access them in normal code, at least not without knowing how the web container implements this functionality and not in a standard way. There have been other posts on this - you should do a search for previous threads.

                  If you're using an integrated container, then it will handle the integration of security - you don't need to use a client login module at all.

                  Luke.

                  • 6. Re: FORM BASED AUTHENTICATION NAD JAAS
                    zzzz

                    >If you're using an integrated container, then it will handle the integration of security - you don't need to use a client login module at all.

                    Hey,
                    I have a class MyCallbackHandler which takes as parameters the username and password. If I cannot get j_username and j_password I have no idea how to pass them to the CallbackHandler.
                    I don't understand how the integrated container will handle the integration of security.
                    Do you think that I don't need to use a CallbackHandler at all?! I think that I need to create a LoginContext to authenticate the EJB side, am I wrong?

                    Thank you very very much!

                    • 7. Re: FORM BASED AUTHENTICATION NAD JAAS

                      You don't have to use JAAS at all. The container implements j_security_check and handles passing security information about from there on. You shouldn't have to write another line of code - just configure your app to use the same security domain in jboss.xml and jboss-web.xml.

                      Read the section on form-based authentication in the servlet spec to find out about j_security_check etc.

                      You should probably buy the online docs - the preview copy of the JBoss book has an in depth explanation of all this stuff.

                      Luke.

                      • 8. Re: FORM BASED AUTHENTICATION NAD JAAS
                        zzzz

                        Thank you so much, Luke!
                        I appreciate your BIG HELP! :)

                        • 9. Re: FORM BASED AUTHENTICATION NAD JAAS
                          jleech

                          I have been experimenting with this for the last few days, using Jboss2.4.4/Tomcat4.0.1. There is a jboss example that works out of the box that sets up a ear file containing an EJB and servlet, and secures both using JAAS authentication. The backend JAAS LoginModule is the UsersRolesLoginModule that comes as part of Jboss. There are a few others. The example uses BASIC authentication, but it is simple to change that to FORM based authentication. It is also simple to swap out the UsersRolesLoginModule for your own, provided it uses the standard NameCallback and PasswordCallback callbacks, and the same Principal classes that UsersRolesLoginModule makes.

                          • 10. Re: FORM BASED AUTHENTICATION NAD JAAS
                            mike3

                            Luke,

                            Is it _possible_ to login using a LoginContext (from the web layer) and have that principal propagate to request.getUserPrincipal()? (I'm using an integrated JBoss 2.4.4/Catalina 4.01)

                            I've read every forum post that even remotely mentions this scenario and noone seems to have gotten it to work successfully.

                            -mike

                            PS I do not mean j_security_check, I am aware of that option but would like to login via a LoginContext for various reasons.