3 Replies Latest reply on Nov 26, 2004 6:33 PM by ravichittari

    JAAS Authentication with JBoss - Almost there need some help

    ravichittari
    ravichittari Nov 21, 2004 12:16 PM

      I am using a Custom Login Module and am able to successfully login through LoginContext.login() method

      I am using struts and have a LoginAction class,

      Code in the login action class
      -----------------------------------

      String userName = argRequest.getParameter("j_username");
      String password = argRequest.getParameter("j_password");

      HttpSession session = argRequest.getSession();

      if(userName == null && password == null)
      {
      return argMapping.getInputForward();
      }
      LoginContext lc = new LoginContext("test", new UsernamePasswordHandler(userName, password));
      try
      {
      lc.login();

      }
      catch(LoginException le)
      {
      return argMapping.getInputForward();
      }

      return argMapping.findForward(Constants.SUCCESS);
      ----------------------------------

      login is successful and I get the valid subject back.

      My question is

      Should I store subject in session under particular name, so that the Jboss app servers realizes that the user has logged in and permits other requests?

      In my case, with just the above code, it does not allow further requests? after this.

      Basically, I think I am missing the part of JAAS authentication integration point with the Servlet engine. I have JAAS working but how does I let the servlet engine know about the logged in principal.

      Also for logout, in order to do logincontext.logout() I need reference to logincontext. What is the best practice in this case. Should I be storing the initial login context in session so that I can call logout from that reference?

      I am hoping to recieve some answers.

      Thank you very much in advance

      • 4122 Views
      • Tags:
        • 1. Re: JAAS Authentication with JBoss - Almost there need some
          ravichittari
          ravichittari Nov 22, 2004 12:37 PM (in response to ravichittari)

          Looking for an answer... One of the JAAS / JBoss gurus please respond..

          Thank you

            • Actions
          • 2. Re: JAAS Authentication with JBoss - Almost there need some
            starksm64
            starksm64 Nov 23, 2004 11:30 AM (in response to ravichittari)

            Read the JAAS Howto and the part on the ClientLoginModule. Just doing a JAAS login in a servlet does not affect the web container security state. It sounds like your are not using container level declarative security, and so you have to add your own filters to do application level security based on the session Subject.

              • Actions
            • 3. Re: JAAS Authentication with JBoss - Almost there need some
              ravichittari
              ravichittari Nov 26, 2004 6:33 PM (in response to ravichittari)

              Scott,
              Thanks for your reply..

              After reading your reply and reading some books, I realized that I was trying to mix two things Container managed security and Application Managed security and was getting confused.

              I have decided to go with Container managed security using j_security_check and let the container pick up the roles etc from web.xml.

              I also thought about going with Applicaiton Managed security which involved writing my own Servlet Filter. While doing that I looked at SecurityFilter (open source), but later decided to go with the container managed security the limited requirements I have..

                • Actions