2 Replies Latest reply on May 10, 2009 10:36 PM by ragavgomatam

logincontext.login is temporary

johney.tsai Sep 12, 2005 3:56 AM

I am using a login.jsp which posts to a LoginServlet which in turn calls the DatabaseServerLoginModule to authenticate users. In the doPost method of my LoginServlet I can see the authenitcated user and all is well. However, once it leaves this method, the user's principals become null.

Here is my login-config.xml
Note: I have added the clientloginmodule as well which is required for propogation.

<application-policy name="jaastest">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 <module-option name="dsJndiName">java:/DefaultDS</module-option>
 <module-option name="principalsQuery">
 SELECT password FROM Users WHERE user=?
 </module-option>
 <module-option name="rolesQuery">
 SELECT roles,'Roles' FROM UserRoles WHERE user=?
 </module-option>
 <module-option name="debug">true</module-option>
 <module-option name="hashAlgorithm">MD5</module-option>
 <module-option name="hashEncoding">hex</module-option>
 </login-module>
 <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
 </authentication>
 </application-policy>

Here is the login.jsp

<FORM name="logonForm" action="/LoginServlet" METHOD="POST">
<font color="red"><%=errorMsg%></font><br>
<TABLE width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white">
<TR align="center">
 <TD align="right" class="Prompt"></TD>
 <TD align="left">
 <INPUT type="text" name="username" maxlength=64>
 </TD>
</TR>
<TR align="center">
 <TD align="right" class="Prompt"> </TD>
 <TD align="left">
 <INPUT type="password" name="password" maxlength=64 >
 </TD>
</TR>
<TR align="center">
 <TD align="right" class="Prompt"> </TD>
 <TD align="left">
 <input type="submit" value="Login">
 </TD>
</TR>
</TABLE>
</FORM>

LoginServlet

try
{
LoginContext loginContext = new LoginContext("jaastest", new org.jboss.security.auth.callback.UsernamePasswordHandler(username, password));
loginContext.login();

System.out.println("logged in");

Iterator it = loginContext.getSubject().getPrincipals().iterator();
while(it.hasNext())
{
 Object o = it.next();
 System.out.println("principle: "+o.getClass().getName()+ " "+o);
}

//redirect back to standard page
response.sendRedirect("/index.jsp");
}
catch(LoginException e)
{
 HttpSession session = request.getSession(false);
 session.setAttribute("ERRORMSG", "Invalid username or password");
 response.sendRedirect("/login.jsp");
}

I did the servlet mappings in my web.xml as well as define a protected resource /test.jsp

When I bring up the application in the browser, I try to login and it redirects me back to the index.jsp page (if I provide bad credentials, I see my error msg), but when I try to access test.jsp via a link or typing in the URL bar, it makes me login again and the cycle repeats.

I see these msgs printed to the console in LoginServlet.

00:33:28,404 INFO [STDOUT] logged in
00:33:28,405 INFO [STDOUT] principle: org.jboss.security.SimplePrincipal myUser
00:33:28,409 INFO [STDOUT] principle: org.jboss.security.SimpleGroup Roles(members:admin)

Any ideas why I can't seem to stay logged in?

I've tried to get rid of response.sendRedirect but it still makes me login everytime I want to get to a protected resource.

1. Re: logincontext.login is temporary

bacooper81 Apr 29, 2009 2:10 PM (in response to johney.tsai)

I've been searching for an answer to this for 3 days now, and all I've found are unanswered threads, mostly from several years ago. Does anyone know a solution to this?
Actions
2. Re: logincontext.login is temporary

ragavgomatam May 10, 2009 10:36 PM (in response to johney.tsai)

Can you please post the web.xml fragment that relates to the security
Actions

Go to original post