-
1. Re: JAAS/Auth and getRemoteUser()
rocky Jul 27, 2002 7:35 PM (in response to rocky)Oh, forgot to mention.
Platform is as such:
OS: Linux
JVM: J2SE 1.4.0_01
App Server: JBoss 3.0.0 + Tomcat 4.0.3 (integrated bundle) -
2. Re: JAAS/Auth and getRemoteUser()
kpseal Jul 29, 2002 4:23 AM (in response to rocky)Ah, sounds like you've got to the same point as many of us - "the wall of silence".
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ -
3. Re: JAAS/Auth and getRemoteUser()
simon.nicholls Dec 9, 2002 5:11 PM (in response to rocky)Hiya,
I *think* the authenticated Subject gets stored in a Jetty/Tomcat cache, & the principal is stored in the user's session. The auth mechanism then uses this principal to check against the cache when it's security check time. It's obviously not so portable to start stuffing your subject into this cache manually.
Luckily, the mechanism doesn't enforce POST only submission to j_security_check - so you can simply store the user/pass in the session & redirect to a protected resource. On your login page, which the interceptor will call, simply check for eg j_autologin_uname/pass and if present, remove them & do a swift redirect to j_security_check passing the values along for the ride.
Use a sessionListener to set up your user after declarative login. eg. listen for org.mortbay.jetty.Auth to change - it's where the principal is stored in jetty. I just configure a context variable in web.xml for this, so it's fairly portable. -
4. Re: JAAS/Auth and getRemoteUser()
dmaclaren Feb 6, 2003 12:41 AM (in response to rocky)CAn you explain this with any examples? I am using Apache/tomcat but I can relate to this is I knew nore of wht you are refering to. If you can give examples of this listener you are talking about andthe process of the redirect you used better.
Thanks