2 Replies Latest reply on May 21, 2004 12:34 PM by hoos

    How to Use JAAS with custom Authentication filter?

    hoos

      Hello,

      I have a filter that checks every request for a valid session id (sent a a request parameter e.g sid=123) using a EJB to to the database lookup. If the session id is invallid then the user is redirected to a login page.

      This setup works fine over multiple webapps using the same database. The disadvantage is that there is no interaction between my athentication mechanism and the container security, so I cannot use methods like getUserPrinciple or isUserInrole in my servlets or EJBs, if I understand this problem correctly my authenticated users simply do not have a secutrity context as i have bypassed the container security.

      I have read the JAAS how to and I was wondering if it is possible for my filter to or EJB to create a security context, possibly by logging the user in using JAAS, instead of directly doing an SQL query. Will this approach work over multiple webapps? Can anyone point me in the right direction, some sample code would be nice. I have seen a few pointers on this in the forum but its all a bit confusing still.

      Hoos

        • 1. Re: How to Use JAAS with custom Authentication filter?
          starksm64

          Do the LoginContext creation required by external clients described in the JAAS Howto in the filter when the request comes in, logout when it completes.

          • 2. Re: How to Use JAAS with custom Authentication filter?
            hoos

            Thanks for the reply Scott,

            I have tried your suggestion and it works perfectly well for a single webapp, the problem is with my application once the user is authenticated the request is dispatched to another webapp (in the same EAR). Since the dispatched request bypasses my authentication filter the second webapp correctly treats it an unauthenticated request. I could probably get round this by using a 302 redirect but after some time considering the problem I have decided to refactor the old code I am using and merge the multiple webapps into one webapp and use JAAS authentication in the standard way.

            I will need the ability to use some sort of single sign on so I have switched off cookies and can now pass around the JSessionid to authenticated thired parties (at least in the web tier).

            Is it possible to change way the JSessionId is generated? I would like to encode some useful info into it when it is created.

            Thanks,
            Hoos