logincontext.login is temporary
johney.tsai Sep 12, 2005 3:56 AMI am using a login.jsp which posts to a LoginServlet which in turn calls the DatabaseServerLoginModule to authenticate users. In the doPost method of my LoginServlet I can see the authenitcated user and all is well. However, once it leaves this method, the user's principals become null.
Here is my login-config.xml
Note: I have added the clientloginmodule as well which is required for propogation.
<application-policy name="jaastest"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/DefaultDS</module-option> <module-option name="principalsQuery"> SELECT password FROM Users WHERE user=? </module-option> <module-option name="rolesQuery"> SELECT roles,'Roles' FROM UserRoles WHERE user=? </module-option> <module-option name="debug">true</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">hex</module-option> </login-module> <login-module code="org.jboss.security.ClientLoginModule" flag="required"/> </authentication> </application-policy>
Here is the login.jsp
<FORM name="logonForm" action="/LoginServlet" METHOD="POST"> <font color="red"><%=errorMsg%></font><br> <TABLE width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white"> <TR align="center"> <TD align="right" class="Prompt"></TD> <TD align="left"> <INPUT type="text" name="username" maxlength=64> </TD> </TR> <TR align="center"> <TD align="right" class="Prompt"> </TD> <TD align="left"> <INPUT type="password" name="password" maxlength=64 > </TD> </TR> <TR align="center"> <TD align="right" class="Prompt"> </TD> <TD align="left"> <input type="submit" value="Login"> </TD> </TR> </TABLE> </FORM>
LoginServlet
try { LoginContext loginContext = new LoginContext("jaastest", new org.jboss.security.auth.callback.UsernamePasswordHandler(username, password)); loginContext.login(); System.out.println("logged in"); Iterator it = loginContext.getSubject().getPrincipals().iterator(); while(it.hasNext()) { Object o = it.next(); System.out.println("principle: "+o.getClass().getName()+ " "+o); } //redirect back to standard page response.sendRedirect("/index.jsp"); } catch(LoginException e) { HttpSession session = request.getSession(false); session.setAttribute("ERRORMSG", "Invalid username or password"); response.sendRedirect("/login.jsp"); }
I did the servlet mappings in my web.xml as well as define a protected resource /test.jsp
When I bring up the application in the browser, I try to login and it redirects me back to the index.jsp page (if I provide bad credentials, I see my error msg), but when I try to access test.jsp via a link or typing in the URL bar, it makes me login again and the cycle repeats.
I see these msgs printed to the console in LoginServlet.
00:33:28,404 INFO [STDOUT] logged in
00:33:28,405 INFO [STDOUT] principle: org.jboss.security.SimplePrincipal myUser
00:33:28,409 INFO [STDOUT] principle: org.jboss.security.SimpleGroup Roles(members:admin)
Any ideas why I can't seem to stay logged in?
I've tried to get rid of response.sendRedirect but it still makes me login everytime I want to get to a protected resource.