2 Replies Latest reply on Oct 3, 2005 1:53 AM by niwhsa

JAAS Security in Jboss - Password Capture

gregperry Sep 28, 2005 9:52 AM

I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). Currently my applications are deployed in Tomcat and I am struggling to find a way to implement this.

If I was to migrate to JBoss, would the JAAS modules of JBoss allow me to grab the password during the authentication process? If so, would the password be encrypted, or would I be able to pass it as raw text to my second application?

I've read through the FAQs and can't find the answer. Any advice would be much appreciated.

1. Re: JAAS Security in Jboss - Password Capture

neelixx Oct 1, 2005 10:37 AM (in response to gregperry)

If the user is submitting their credentials in an HTML form, then you already have their credentials.

If you are using Browser-based logon, then you'll have to write your own LoginModule.

JBoss does have a way of doing SSO (Single Sign On) but I haven't delved too much into that aspect yet.
Actions
2. Re: JAAS Security in Jboss - Password Capture

niwhsa Oct 3, 2005 1:53 AM (in response to gregperry)

If you are using basic authentication then yes jboss can help. You can write your own/extend the existing loginmodules to get the password. It will nto be encrypted. Even if you end up using SSL by the time the password reaches the login module it should be decrypted already.

If you are using form based login, you can get the password even in tomcat. The easiest would be to put a filter to the j_security_check servlet. In the filter you can read j_password from the request.
Actions

Go to original post