5 Replies Latest reply on Jun 16, 2005 1:23 PM by starksm64

    Prinicpal = null

    milkygto

      Can anyone point out what is the problem here? I followed the jaashowto, but I still can't get the principal to work.

      After I do the loginContext.login(), my user and role are set. If I do a forward(), I can get to the restricted resources.
      But if I do a request.sendRedirect, I will lost all the principal. So I tested it by getting it out from request.getUserPrincipal(),
      and it didn't suprise me for returning me a null. I am tested it jboss 4.0.1 RC1 and RC2, and both of them doesn't work.

      Thanks,

      -------------------------------------------------------------------------------
      LoginServlet
      -------------------------------------------------------------------------------

      String username = request.getParameter("username");
      String password = request.getParameter("password");

      try {
      if (username != null && password != null) {

      SecurityAssociationHandler handler = new SecurityAssociationHandler();
      SimplePrincipal user = new SimplePrincipal(username);
      handler.setSecurityInfo(user, password.toCharArray());
      LoginContext loginContext = new LoginContext("equilar-login",
      (CallbackHandler) handler);
      loginContext.login();

      Subject subject = loginContext.getSubject();
      Set principals = subject.getPrincipals();
      principals.add(user);

      Principal p = request.getUserPrincipal();
      if (p != null)
      log.info("Principal = " + p.getName());
      else
      log.info("Principal is null");

      try {
      response.sendRedirect("/index.jsp");
      return;
      } catch (IOException e) {
      log.error("sendRedirect failed", e);
      }
      } else {
      try {
      response.sendRedirect("/login.jsp");
      return;
      } catch (IOException e) {
      log.error("Failed redirecting", e);
      }
      }
      } catch (LoginException e) {
      log.info("Login failed for " + username +". Reason: " + e.getMessage());
      try {
      response.sendRedirect("/login.jsp?login=failed");
      return;
      } catch (IOException ee) {
      log.error("Failed redirecting", ee);
      }
      }

      -------------------------------------------------------------------------------
      Auth.conf in jboss/server/default/conf
      -------------------------------------------------------------------------------
      client-login
      {
      org.jboss.security.ClientLoginModule required;
      };

      equilar-login
      {
      org.jboss.security.ClientLoginModule required
      ;

      org.jboss.security.auth.spi.UsersRolesLoginModule required
      usersProperties="users.properties"
      rolesProperties="roles.properties"
      unauthenticatedIdentity=nobody
      ;

      };

      -------------------------------------------------------------------------------
      Auth.conf in jboss/client
      -------------------------------------------------------------------------------

      client-login
      {
      org.jboss.security.ClientLoginModule required;
      };

      equilar-login
      {
      org.jboss.security.ClientLoginModule required
      ;

      org.jboss.security.auth.spi.UsersRolesLoginModule required
      unauthenticatedIdentity=nobody
      ;
      };

      -------------------------------------------------------------------------------
      login-config.xml
      -------------------------------------------------------------------------------

      <application-policy name="equilar-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">nobody</module-option>
      </login-module>

      </application-policy>

        • 1. Re: Prinicpal = null
          milkygto

           

          <form method="POST" action='<%= response.encodeURL( "j_security_check" ) %>'>
          <table>
           <tr>
           <th>Username:</th>
           <td><input type="text" name="j_username" size="15"/></td>
           </tr>
           <tr>
           <th>Password:</th>
           <td><input type="password" name="j_password" size="15"/></td>
           </tr>
           <tr/>
           <tr>
           <td colspan="2" align="right">
           <input type="submit" value="Submit"/>
           </td>
           </tr>
           </table>
           </form>


          • 2. Re: Prinicpal = null
            starksm64

            The problem is that this cannot work. The jaas login only affects the current calling thread for subsequent access to secured resources. It does not magically inform the web container that all sendRedirects should be trusted. This is impossible in general as its the web client that has to provide the identity and proof of identity and the form depends on the authentication scheme selected by the war deployment.

            • 3. Re: Prinicpal = null
              milkygto

              what would be the best practice for using JAAS model in web application?

              If I don't want to use j_security_check in the jsp form for user to log in, and I wouldn't want to save the username and password in session to do the authentication everytime, can anyone point me to the right direction?


              public void MasterServlet extends HttpServlet{
              
               public abstract void onService(HttpServletRequest request, HttpServletResponse response);
              
               public void service(HttpServletRequest request, HttpServletResponse response){
              
               doSecurityCheck(); // this is where I do authentication
               onService();
               }
              
              }
              


              • 4. Re: Prinicpal = null
                ram0206

                HI,
                i have problem with security domain, can help me, i have logged in successfully, afterward, i am trying call EJB, its saying user name and password null in DatabaseServerLoginModule's login method,

                If you can you help, i am using MYSQL as Database and Cocoon actions are action class ..


                Please,



                Ram