web appication security identification
vlasev Oct 10, 2005 10:59 AMHi everyone.
I am developing web application and trying to achieve the following:
When accessing session beans I want the bean?s caller identity to be a constant value no related to do user login information. Reason: I am using beans from defined in another web application which uses container managed authentication and there is caller identity /principal name/ check within a filter.
So far I have tried to make my own CustomLoginModule which takes principal name and roles from the options map. I have a ?dummy? login page with hidden form having both j_username and j_password fields empty. The form action is j_security_check, and it?s invoked automatically.
Everything looks fine when I start the application automated login process leads me to my web app welcome page and I have the following request attribute:
j_subject = Subject: Principal: myPrincipal Principal: Roles(members:myRoles)
But when I obtain a session bean its caller identity is void (principal name == ??, roles ==??)
I found out that those values within the caller identity are the values of the j_username and j_password and I cannot set the outside of the form.
Trying to find out what does j_security_check do I have found the Catalina source used for the container managed authentication within the tomcat container.
Here is a snippet that get my attention:
Public static Constants {
????
public static final String FORM_PASSWORD = "j_password";
public static final String FORM_USERNAME = "j_username";
????
}
public class FormAuthenticator extends AuthenticatorBase {
????.
public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException {
???..
Realm realm = context.getRealm();
String username = hreq.getParameter(Constants.FORM_USERNAME);
String password = hreq.getParameter(Constants.FORM_PASSWORD);
if (debug >= 1)
log("Authenticating username '" + username + "'");
principal = realm.authenticate(username, password);
I believe this piece of code does principal registration and when i have no j_username and j_password specified within the login form i am having void caller identity.
I wondered if I can obtain a reference to the realm within my CustomLoginModule.initialize() or login() methods.
Or if there is a way to impersonate my web application and set a constant ?caller identity?. This will be even better.
Thanks in advance for your advice.