-
1. Re: Can I create a login .war module that my other .war modu
ragavgomatam Jan 10, 2008 10:27 PM (in response to aconn7)Answer is no. Make it a Custom Jaas Module & sprinkle
<security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> <description> Security constraint testing using custom Jaas Module </description> <url-pattern>/jsp/secure.jsp</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description>Only let the authenticated users login</description> <role-name>admin</role-name> <role-name>webAdmin</role-name> </auth-constraint> <user-data-constraint> <description>Determines the transport layer security</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JaasRealm</realm-name> </login-config> <security-role> <description>The Only Secure Role</description> <role-name>admin</role-name> </security-role> <security-role> <description>Another Secure Role</description> <role-name>webAdmin</role-name> </security-role>
tags in your web.xml and
<security-domain>java:/jaas/MyJaas</security-domain>
jboss-web.xml. You are set. -
2. Re: Can I create a login .war module that my other .war modu
vparmar Feb 17, 2009 4:32 PM (in response to aconn7)We have a solution for Web applications deployed on same JBoss Instance to delegate Authentication to different co-hosted web application.
Essentially For Web Application/Module ABC1, ABC2, , a Servlet Filter checks for Request/Session parameters (for example USER_NAME, etc). If the Servlet Filter does not find a user in request/session, then it forwards the Request to the LOGON_XYZ Web App responsible for Authentication.
The LOGON_XYZ web application authenticates the User by validating the credentials provided by the User.
Once the User is successfully Authenticated, the LOGON_XYZ web application a) Sets the User information in the Request b) forwards the Request to the ABC1 web application. The ABC1 Web app Servlet Filter checks and finds a User in the Request and allows User to continue to the requested page flow.
The Servlet Filter code is somewhat like thispackage somepackage; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; /** * * MyServletFilter intercepts host web applications requests inspects to verify if a User is logged in. * If a User is not logged in to the Host web application, the User is forwarded to the LOGON_XYZ Web application for Authentication. * @author parmarv * */ public class MyServletFilter implements Filter { private FilterConfig filterConfig = null; // This method is called once on server startup public void init(FilterConfig filterConfig) { this.filterConfig = filterConfig; } // This method is called once on server shut down public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // Check if Attribute for this SessionID is available in the ServletContext. boolean invokeLOGON_XYZ = false; if (request instanceof HttpServletRequest) { HttpSession session = ((HttpServletRequest) request) .getSession(true); if (session != null && session.isNew()) { // Invoke LOGON_XYZ. invokeLOGON_XYZ = true; } else { // Check For User in Session if (session.getAttribute("USER_NAME_TOKEN_OR_ID") == null) { // User is not logged in since USER_NAME_TOKEN_OR_ID is not available. // Invoke LOGON_XYZ invokeLOGON_XYZ = true; }else{ // User is logged in since USER_NAME_TOKEN_OR_ID is available. // Continue normal operation chain.doFilter(request, response); } if(invokeLOGON_XYZ){ if (filterConfig != null) { String appContextLOGON_XYZ = filterConfig.getInitParameter("LOGON_XYZ_CONTEXT"); String dispatchPath = "/ABC1_User_home.jsp"; ServletContext sc = this.filterConfig.getServletContext().getContext("/"+appContextLOGON_XYZ); RequestDispatcher rd = sc.getRequestDispatcher(dispatchPath); rd.forward(request, response); return; } } } } chain.doFilter(request, response); return; } }
This solution only works for Web application that DO NOT use JBoss Container Managed Security. This solution is advisable for a work around solution only. I am currently working on a solution for the same for the current issue for my project.
I have posted this solution only to show that it is possible to use a second web app to delegate the authentication logic to.
HTH,
vparmar