JAAS Security

sbuster Jan 7, 2005 9:17 AM

Can someone explain to me how the security credentials (Subject/Principal etc) are set on the HttpServletRequest object with respect to J2EE/JAAS? For example, most app servers use JAAS login modules to connect into an LDAP/Database. But once that authentication is done, how are those object populated into hte HttpServletRequest, so when I call request.getUserPrincipal I get the correct objects back.

Thanks

1. Re: JAAS Security

shady Jan 14, 2005 12:21 PM (in response to sbuster)

I am very interested in this too. I am trying to build in authentication into my webapp. It apears that the subject is lost between requests. I thought, once authenticated a subject lasts for teh duration of the session. In my scenario I invoke a prtected JSP and am taken to my form based log on age. I log on no problem. I now invoke an unprotected page. I try and access the subject but a null is return. When I again invoke a protected page I am asked to log on again! Surely this is teh incorrect behaviour.
Actions
2. Re: JAAS Security

starksm64 Jan 14, 2005 4:12 PM (in response to sbuster)

Read the JAAS howto where it talks about the web tier security integration. Unless you are under a uri secured via a security constraint there does not have to be a principal associated with the request.
Actions

Go to original post