Hello to all the good folks on this forum. I desperately need some help with a security scenario that i am almost done with but not quite done yet. We are using JBoss-2.4.10_Tomcat-4.0.6. we have a web application that has a normal login page with an input for a user-id and password. This login page uses "j_security_check" and authenticates on the server side against a DB2 database using the "DatabaseServerLoginModule" that already comes with JBOSS.

We have a NEW corporate policy that has required me to write a new login module since our application is going to be accessed in two different ways. firstly in the old way as i have described above and secondly (more importantly) by a custom authentication product that sits in front of all our applications (it uses web-seal and LDAP etc) . If this product authenticates and authorizes the user, then the user will be forwarded to our application. The entry point into our application is a custom servlet that i have written (which bypasses the j_security_check). I will first explain what the servlet that that bypasses the j_security_check does and then explain what the login module i have written does .

The entry point into our application from this product is a new custom servlet that i have written (the old method to acces the application still uses the j_security_check). This servlet basically parses a cookie that the authentication product has set and gets the user-id, client name and the roles associated with the user-id after being authenticated (it does not have a password, since we are already authenticated). This servlet in other words needs to bypass the j_security_check, for all requests coming from this authentication product. the pseudo code for this servlet basically is as follows:

String homeURL = "/index.jsp";
CustomCallbackHandler handler = getCallbackHandler(cookieCredentialsMap);
LoginContext lc = null;
lc = new LoginContext("appBase", handler);
//(appBase is the name of the entry in auth.conf file that sets up the custom login module)

lc.login();
res.sendRedirect(homeURL);

So the servlet creates the custom callback handler and sets up the custom callback that i have written and creates a LoginContext object. then it calls the login() method on the loginContext object. I know this call hits the custom login module that i have written and works as expected and authenticates the user again. I am doing this second authentication (lc.login() ) only to create a login context within the JBOSS framework (realistically i was already authenticated by the custom authentication product upon entry to our application, entry point being the servlet from above explanation)

In the custom login module that i have written (which extends the DatabaseServerLoginModule) with a custom callback and callback handler. What this new login module does is first determine where the call is coming from. it does that by finding out if the callback-handler is the custom one that i wrote. If an UnsupportedCallbackException is thrown then i know that the request to authenticate is not from the new authentication product and is from the old login page. So based upon where the request is coming from the following 2 things can happen

1) if request originated from old login page the flow is as follows (Login.jsp ------> j_security_check -------> My login module). this stuff works fine

2) if request came from the new authentication silo app ( ----> my custom servlet -------> my login module).
This goes into the loginmodule and gets authenticated corectly but this authenticated state is not stored anywhere. my next request sends me back to the login page that uses the j_security_check.

I am in a really bad bind and need to get this resolved really soon. I would really really appreciate any help. Thanks in advance for all your help.

Thanks,
Momin Durrani.