2 Replies Latest reply on Feb 17, 2009 4:32 PM by vparmar

    Can I create a login .war module that my other .war modules

    aconn7
    aconn7 Dec 3, 2007 6:15 PM

      I have a created a custom login module to authenticate against our domino server. Rather than have to (redundant) setup security in each and every web module, can I just deploy the login functionality as a stand-alone web module that my other web modules leverage?

      Sorry if this is a newbie question!

      Thanks,

      Andy

      • 3424 Views
      • Tags:
        • 1. Re: Can I create a login .war module that my other .war modu
          ragavgomatam
          ragavgomatam Jan 10, 2008 10:27 PM (in response to aconn7)

          Answer is no. Make it a Custom Jaas Module & sprinkle

          <security-constraint>
 <web-resource-collection>
 <web-resource-name>SecurePages</web-resource-name>
 <description>
 Security constraint testing using custom Jaas Module
 </description>
 <url-pattern>/jsp/secure.jsp</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>Only let the authenticated users login</description>
 <role-name>admin</role-name>
 <role-name>webAdmin</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description>Determines the transport layer security</description>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JaasRealm</realm-name>
 </login-config>
 <security-role>
 <description>The Only Secure Role</description>
 <role-name>admin</role-name>
 </security-role>
 <security-role>
 <description>Another Secure Role</description>
 <role-name>webAdmin</role-name>
 </security-role>
          tags in your web.xml and 

          <security-domain>java:/jaas/MyJaas</security-domain>


          jboss-web.xml. You are set.

            • Actions
          • 2. Re: Can I create a login .war module that my other .war modu
            vparmar
            vparmar Feb 17, 2009 4:32 PM (in response to aconn7)

            We have a solution for Web applications deployed on same JBoss Instance to delegate Authentication to different co-hosted web application.


            Essentially For Web Application/Module ABC1, ABC2, , a Servlet Filter checks for Request/Session parameters (for example USER_NAME, etc). If the Servlet Filter does not find a user in request/session, then it forwards the Request to the LOGON_XYZ Web App responsible for Authentication.

            The LOGON_XYZ web application authenticates the User by validating the credentials provided by the User.

            Once the User is successfully Authenticated, the LOGON_XYZ web application a) Sets the User information in the Request b) forwards the Request to the ABC1 web application. The ABC1 Web app Servlet Filter checks and finds a User in the Request and allows User to continue to the requested page flow.

            The Servlet Filter code is somewhat like this


            package somepackage;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/**
 *
 * MyServletFilter intercepts host web applications requests inspects to verify if a User is logged in.
 * If a User is not logged in to the Host web application, the User is forwarded to the LOGON_XYZ Web application for Authentication.
 * @author parmarv
 *
 */

public class MyServletFilter implements Filter {


 private FilterConfig filterConfig = null;

 // This method is called once on server startup
 public void init(FilterConfig filterConfig) {
 this.filterConfig = filterConfig;
 }
 // This method is called once on server shut down
 public void destroy() {
 this.filterConfig = null;
 }

 public void doFilter(ServletRequest request, ServletResponse response,
 FilterChain chain) throws IOException, ServletException {

 // Check if Attribute for this SessionID is available in the ServletContext.
 boolean invokeLOGON_XYZ = false;
 if (request instanceof HttpServletRequest) {
 HttpSession session = ((HttpServletRequest) request)
 .getSession(true);
 if (session != null && session.isNew()) {
 // Invoke LOGON_XYZ.
 invokeLOGON_XYZ = true;
 } else {
 // Check For User in Session
 if (session.getAttribute("USER_NAME_TOKEN_OR_ID") == null) {
 // User is not logged in since USER_NAME_TOKEN_OR_ID is not available.
 // Invoke LOGON_XYZ
 invokeLOGON_XYZ = true;
 }else{
 // User is logged in since USER_NAME_TOKEN_OR_ID is available.
 // Continue normal operation
 chain.doFilter(request, response);
 }
 if(invokeLOGON_XYZ){
 if (filterConfig != null) {
 String appContextLOGON_XYZ = filterConfig.getInitParameter("LOGON_XYZ_CONTEXT");
 String dispatchPath = "/ABC1_User_home.jsp";
 ServletContext sc = this.filterConfig.getServletContext().getContext("/"+appContextLOGON_XYZ);
 RequestDispatcher rd = sc.getRequestDispatcher(dispatchPath);
 rd.forward(request, response);
 return;
 }
 }
 }
 }
 chain.doFilter(request, response);
 return;
 }
}


            This solution only works for Web application that DO NOT use JBoss Container Managed Security. This solution is advisable for a work around solution only. I am currently working on a solution for the same for the current issue for my project.

            I have posted this solution only to show that it is possible to use a second web app to delegate the authentication logic to.

            HTH,

            vparmar



              • Actions