4 Replies Latest reply on Dec 6, 2004 11:12 AM by starksm64

why multiple authentication !

hatoug Dec 3, 2004 10:14 AM

Hello Everybody,

I use authentication on jboss using a how-to found in : http://www.javaworld.com/javaforums/printthread.php?Board=JavaSecurity&main=2500&type=post

But I have problem, when I call any page of the site(servlet or jsp), it returns me the form login page (it s OK) , so I log in. When logged, I'm waiting that it returns me the page requested at the beginning (which contains frames) BUT, in eachframe, I find login window. I feel like in the servlet (of authentication) it checks well authentication but it's not saved and when we request another page, it replies login.
If anybody has an idea, Welcome

I give you the content of web.xml et le snippet code of the servlet (authentication).

Thanks.

Here are my rule in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
Declarative security tests
<url-pattern>/affichegrille</url-pattern>
<url-pattern>/afficheDoc</url-pattern>
<url-pattern>/jsp/*</url-pattern>

<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Java</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logon.jsp</form-error-page>
</form-login-config>
</login-config>

1. Re: why multiple authentication !

hatoug Dec 3, 2004 10:15 AM (in response to hatoug)

CODE SNIPPET OF THE SERVLET AUTHENTICATION
protected void forward (HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
System.out.println("appel de accesPWS.forward()");
String useraction = request.getParameter("useraction");
String buildUrl = null;
if (useraction!=null && useraction.equals("close"))
{
HttpSession session = request.getSession(false);
try {
System.out.println("Appel de close");
gedAccess.remove();
deleteDirectory((String)session.getAttribute("repUsr"));
session.invalidate();
}catch (Exception e) {
e.printStackTrace();
}
}
else
{
if (useraction!=null && useraction.equals("form"))
{
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
try
{
SecurityAssociationHandler handler = new SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(username);
handler.setSecurityInfo(user, password.toCharArray());
LoginContext loginContext = new LoginContext("pws", (CallbackHandler)handler);
loginContext.login();
System.out.println(username+" -> OK");
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
principals.add(user);
}catch(LoginException e)
{
System.out.println("Erreur de login");
buildUrl = "error.jsp";
e.printStackTrace();
}
}
// CONNEXION OK **************************************
if (buildUrl==null)
{
HttpSession session = request.getSession(true);
System.out.println(session.getId());
File rep = new File("c:\\Temp\\"+session.getId()+"\\");
buildUrl = "/jsp/ged.jsp";
try {
if (rep.mkdir())
session.setAttribute("repUsr","c:\\\\Temp\\\\"+session.getId()+"\\\\");
else
System.out.println("Echec dans la creation du repertoire de travail");
String usr = "2";
session.setAttribute("usr",usr);
session.setAttribute("username",request.getParameter("username"));
initGedAccess();
try {
gedAccess = gedAccessHome.create();
} catch (RemoteException e1) {
e1.printStackTrace();
} catch (CreateException e2) {
e2.printStackTrace();
}
session.setAttribute("gedAccess",gedAccess);
session.setAttribute("application",p_applicationMetier);
Hashtable tokens = gedAccess.getTokens(usr);
session.setAttribute("tokens",tokens);
System.out.println("buildUrl="+buildUrl);
RequestDispatcher rd = getServletContext().getRequestDispatcher(buildUrl);
rd.forward(request,response);
} catch (Exception e) {
e.printStackTrace();
}
}
// FIN DE CONNEXION OK ****************************************
} // fin du else si fin ou debut de session

}
Actions
2. Re: why multiple authentication !

starksm64 Dec 3, 2004 3:56 PM (in response to hatoug)

The JAAS login does not change the security association at the web container level such that forwarded request are done with that security context. The JAAS login affects calls to other secured resources like jms, ejbs, and jca. I have created a feature request to see if this is something we can provide support for in the future:
http://jira.jboss.com/jira/browse/JBWEB-3
Actions
3. Re: why multiple authentication !

hatoug Dec 6, 2004 5:23 AM (in response to hatoug)

BUT When I use the basic authentication in web.xml,
<auth-method>BASIC</auth-method>
<realm-name>GedOnLine Securité</realm-name>
it works fine.

so why cannot it also work with a FORM authentication ?
Actions
4. Re: why multiple authentication !

starksm64 Dec 6, 2004 11:12 AM (in response to hatoug)

Because form auth requires tight integration with the web container security internals. Basic auth passes in the username and password as part of the http request and we integration with the http url authentication mechanism.
Actions

Go to original post