4 Replies Latest reply on Nov 10, 2004 2:41 AM by starksm64

    Form based auth + EJB Auth working, How to use form-auth on

    websel
    websel Oct 14, 2004 6:51 AM

      Hi!,

      I've a problem which i haven't figured out yet.

      I have a form based authentication () which works fine.
      I have my EJB's protected with the same security domain which works ok if I supply a valid username & password to a standalone client

      What I would expected is that the servlet container would authenticate itself to the beans but this isn't the case (or can I configure this so it would? that would be great!)

      As a way to fix this, I'm having my web-app authenticate to the beans with the javax.security.auth.login.LoginContext
      Got this working example from jkuhn (thanks!!)
      I can't bridge the authenticated servlet to the EJB's only if i fill in a password in the servlet code which of course is not an option :-(

      Q1 Is there a way how i can have the servlet container authenticate it self to the beans in another way than this one below?
      Q2 How can i get the value of j_password from the form. This is not possible with the usual request.getParameter("j_password")

      This is a code snippet of my LogonAction.java

       public ActionForward execute(ActionMapping mapping,
 ActionForm form,
 HttpServletRequest request,
 HttpServletResponse response)
 throws IOException, ServletException {

 HttpSession session = request.getSession();

 String username="";
 String password="";

 username = "wessel";
 password = "mysecretpassword";

// ****** HERE's the Headace! How to get these two from the
// web-servlet!
// request.getParameter("j_password"); always returns null


 LoginContext lc = null;
 try{
 AppCallbackHandler handler = new
 AppCallbackHandler(username, password.toCharArray() );
 lc = new LoginContext("spawnzone", handler);
 System.out.println("Created LoginContext");
 lc.login();
 System.out.println("Logged in.");
 Iterator it = lc.getSubject().getPrincipals().iterator();
 while(it.hasNext()) {
 Object o = it.next();
 System.out.println("principle: "+
 o.getClass().getName()+ " "+o);
 }
 }catch (LoginException le){
 System.out.println("Login failed");
 le.printStackTrace();
 }


      Many many thanks for who gives the solution to bridge these two ... it's pritty frustrating having the two ends 'just' not close enough to tie them together :-)

      Wessel

      • 5051 Views
      • Tags:
        • 1. Re: Form based auth + EJB Auth working, How to use form-auth
          websel
          websel Oct 14, 2004 9:28 AM (in response to websel)

          I've found a workaround to get the username & password back from the Form based authentication. I'm working with a Filter which intercepts the post and stores the values in the session scope.

          package com.artomilito.www.colossus;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * Login Filter 14-oct-2004, Wessel de Roode
 * From an idea of dmitry_ame at yahoo.com.
 * Written for Struts & Xdoclet & changed for
 * EJB Authentication by Wessel.
 * Purpose to intecept the username & password from a
 * FORM based authentication. The username & password
 * can now used for authenticating with EJB's
 * This filter should point to an unprotected directory
 * with an empty jsp file in it. Example /login/dummy.jsp
 *
 * The loginform should look like this in struts:
 * <FORM name="loginform" action="login/dummy.jsp" method="post">
 * <input type="text" name="j_username"/>
 * <input type="password" name="j_password"/>
 *
 * After login the loginAction or any first action that is addressed can retrieve the
 * values with:
 * HttpSession session = request.getSession();
 * String user = session.getAttribute("j_username"));
 * String pass = session.getAttribute("j_password"));
 * Without the Filter these values will be null
 * @author Wessel de Roode
 *
 * @web.filter
 * name = "LoginFilter"
 *
 * @web.filter-mapping
 * url-pattern = "/login/*"
 */
public class LoginFilter implements Filter {

 static Log log = LogFactory.getLog(LoginFilter.class);
 public void init(FilterConfig arg0) throws ServletException {}

 public void doFilter(ServletRequest request,
 ServletResponse response, FilterChain chain)
 throws IOException, ServletException {
 HttpServletResponse httpResponse = (HttpServletResponse)response;
 HttpServletRequest httpRequest = (HttpServletRequest) request;
 String redirectString = "j_security_check";
 log.info( "Sending redirect to: " + redirectString);

 String username = httpRequest.getParameter("j_username");
 String password = httpRequest.getParameter("j_password");

 HttpSession session = httpRequest.getSession();
 // Set the attributes in the session space
 session.setAttribute("j_username", username );
 session.setAttribute("j_password", password );

 httpResponse.sendRedirect( redirectString +"?j_username="+username+"&j_password="+password );

 chain.doFilter(httpRequest, httpResponse);
 }

 public void destroy() {}
}


            • Actions
          • 2. Re: Form based auth + EJB Auth working, How to use form-auth
            starksm64
            starksm64 Oct 16, 2004 3:56 PM (in response to websel)

            If you are using the embedded tomcat in jboss there will be automatic propagation of the security context required to access the servlet to the ejb tier. If the servlet accessing the ejb is not under a restricted context there is no security context to propagate however.

              • Actions
            • 3. Re: Form based auth + EJB Auth working, How to use form-auth
              websel
              websel Nov 9, 2004 2:39 PM (in response to websel)

               

              "scott.stark@jboss.org" wrote:
              If you are using the embedded tomcat in jboss there will be automatic propagation of the security context required to access the servlet to the ejb tier. If the servlet accessing the ejb is not under a restricted context there is no security context to propagate however.


              Sorry for the late response, i've been to africa for a while on a long trip.

              Thanks for your reply, still not figured this out.
              - I'm using the standard JBoss 4.0.zip file from the download area with the principal-caller patch. so that the isUserInRole call works.
              - And i'm using the integrated tomcat from Jboss 4.0 .

              Still this propagation doesn't work. Could there be a problem because i'm using struts? All the struts actions are under the webcontainer restrictions.

              Any corners i should check again ?
              Please any help is welcome..

              Thanks in advance,
              Wessel de Roode


                • Actions
              • 4. Re: Form based auth + EJB Auth working, How to use form-auth
                starksm64
                starksm64 Nov 10, 2004 2:41 AM (in response to websel)

                The only thing left is to file a bug report on sourceforge with an example application that shows the problem.

                http://sourceforge.net/tracker/?group_id=22866&atid=376685

                  • Actions