combination of JAAS
zilbi Mar 9, 2008 2:04 PMHi Guys,
am trying to develop a website with the regular login feature and also to enable programmatic login to be used by affiliates via API.
working with "jboss-4.2.2.GA" i got the first part (using the FORM login) done fast enough. but i cannot complete the second part...
:(
also added a simple LoginServlet; trying to login to this servlet works.
but after that, when i try access a resource that is under the protected area i get redirection to the login.jsp page!
why? didn't i just login with the servlet?
what am i missing?
here is my code below...
thanks!
my login-config.xml:
<application-policy name="jinni"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> <module-option name="restore-login-identity">true</module-option> <module-option name="multi-threaded">true</module-option> </login-module> <login-module code="com.jinni.security.LoginModule" flag="required"> <module-option name="managedConnectionFactoryName"> jboss.jca:service=LocalTxCM,name=JinniDatasource </module-option> <module-option name="dsJndiName"> java:/JinniDatasource </module-option> <module-option name="principalsQuery"> select password from users where user_name =? </module-option> <module-option name="rolesQuery"> select roles.name as 'Roles', 'Roles' as 'RoleGroups' from users, security_profile_roles, roles where roles.id = security_profile_roles.role_id and security_profile_roles.security_profile_id = users.security_profile_id and users.user_name =? </module-option> <module-option name="restore-login-identity">true</module-option> <module-option name="multi-threaded">true</module-option> </login-module> </authentication> </application-policy>
and my web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>action</web-resource-name> <url-pattern>/protected/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>Echo</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>A user allowed to invoke echo methods</description> <role-name>Echo</role-name> </security-role> <servlet>
the login.jsp:
<html > <head> <title></title> <!-- To prevent caching --> <% response.setHeader("Cache-Control","no-cache"); // HTTP 1.1 response.setHeader("Pragma","no-cache"); // HTTP 1.0 response.setDateHeader ("Expires", -1); // Prevents caching at the proxy server %> </head> <body> <form name="logonForm" action="j_security_check" method="post"> <table width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white"> <tr align="center"> <td align="right" class="Prompt"></TD> <td align="left"> <input type="text" name="j_username" maxlength=20> </td> </tr> <tr align="center"> <td align="right" class="Prompt"> </TD> <td align="left"> <input type="password" name="j_password" maxlength=20 > </td> </tr> <tr align="center"> <td align="right" class="Prompt"> </TD> <td align="left"> <input type="submit" value="Login"> </td> </tr> </table> </form> </body> </html>
the LoginServlet:
protected void doPost(HttpServletRequest req, HttpServletResponse response) throws ServletException, IOException { PrintWriter pw = response.getWriter(); try { // Get the form's username & password fields // String user = req.getParameter("user"); String pass = req.getParameter("pass"); // is that needed??? // could not hurt WebAuthentication webA = new WebAuthentication(); boolean flag = webA.login(user, pass); pw.write("flag = " + flag); pw.write('\n'); // Use the username/password to initialize the // callback handler and then do the authentication. PassiveCallbackHandler cbh = new PassiveCallbackHandler(user, pass); LoginContext lc = new LoginContext("jinni", cbh); lc.login(); // Loop through all Principals and Credentials. // Iterator it = lc.getSubject().getPrincipals().iterator(); while (it.hasNext()) pw.write("Authenticated: " + it.next().toString() + "<br>"); it = lc.getSubject().getPublicCredentials(Properties.class).iterator(); while (it.hasNext()) pw.write(it.next().toString()); lc.logout(); } catch(Exception E) { System.err.println(E); pw.write("An Error Has Occurred"); pw.flush(); } }
thanks again
:)