Hi,

I have a proprietary client which sends a hardware ID in the http request for authenticating the device.

But we want to use the standard J2EE security mechanisms in our application and use the vendor neutral api request.isUserInRole() and getRemoteUser().

So I deveolped an Authenticator extending AuthenticatorBase. This authenticator takes the device identifier from the request and looks up a username and password in a device table in the database. So I have a mapping from the device id to a username and password.
These credentials are used to authenticate the user to the jboss security modules:

Principal principal = realm.authenticate(username, password);
 if (principal == null) {
 response.sendError(HttpServletResponse.SC_FORBIDDEN);
 return false;
 }

 //Save the authenticated Principal in our session
 session.setNote(Constants.SESS_USERNAME_NOTE, principal);
 request.setUserPrincipal(principal);
 request.setAuthType("PENSERIAL");
 return true;

This approach works, if the device id comes in the request headers of the http request. But unfortunately the device identifier is stored in a multipart request body. So I would have to access the body of the request in the authenticator. But if I access the body in the authenticator the servlet will get streaming errors accessing the body after the authenticator was executed.

So the aproach with the authenticator does not help me. Is there a possibility to execute a login to the jboss container from inside the servlet so that the request is modified from the container to contain the principal and the isUserInRole method succeeds?

Something like

JBossAPI.getSecurityRealm().authenticate(username,password);

Regards
Jochen