3 Replies Latest reply on Aug 20, 2008 7:38 PM by ragavgomatam

    some questions on authentication

    maggu
    maggu Aug 19, 2008 1:45 PM

      Hi All,
      Apologize if these questions have been asked before or if they are naive, but I am writing after doing some search on the web and the forum. Do point me out to any tutorial / web resource if you think they can answer my questions.

      I am relatively new to JBoss/JAAS authentication, and have successfully implemented a sample web application which uses the form based authentication method. On the server side, I have a custom class which extends the DataBaseLoginModule. My questions were the following:

      1) Does one have to use form with 'j_security_check' to initialize the security workflow?
      2) How could I extend this if I needed to have the username password in my HTTP request?
      3) It seems like once JBoss authenticates the user, a HTTP session is maintained until the JBoss cache expires. Is this true? Meaning once logged into a web application, and if the subsequent JSP / Servlet calls fall inside the security restrictions defined in a web.xml, a session is maintained and there is no need for extra authentication on each step.
      4) I understand jboss 'webauthentication' is similar but is mostly for programmatic login. Can it be used from a JSP / Swing/ .NET client?? If so how, is there any useful web resource / tutorial you could point me to?

      Thanks and hoping fro some feedback from the forum.

      • 684 Views
      • Tags:
        • 1. Re: some questions on authentication
          ragavgomatam
          ragavgomatam Aug 20, 2008 1:16 PM (in response to maggu)

          Answers below :-

          (1) If you want to use JAAS for authentication, YES
          (2) Passwords are NEVER stored in request. Principal can be got from the request after successful authentication by calling

          request.getPrincipal().

          (3)After successful authentication Principal is cached till the expiry of HttpSession. Yes no, need for extra authentication till session expires.
          (4) Can be used from JSP's and Servlets,. For that matter any web based client is fine this way.
          Not Swing. You'll need to a typical JAAS login (with CallbackHandlers and config files) for that. No .NET client cannot do a JAAS login.



          Hope this helps


            • Actions
          • 2. Re: some questions on authentication
            maggu
            maggu Aug 20, 2008 5:13 PM (in response to maggu)

            Thanks ragavgomatam. That helps a lot.
            Do you know of any resources/examples for the SWING authentication?

              • Actions
            • 3. Re: some questions on authentication
              ragavgomatam
              ragavgomatam Aug 20, 2008 7:38 PM (in response to maggu)

              Check out the sticky

              JAAS Howto:README FIRST
              in this forum

                • Actions