5 Replies Latest reply on Aug 6, 2007 5:33 PM by kpalania

Moving away JBoss Portal from FORM-based authentication

kpalania Aug 2, 2007 12:18 PM

Hi,
I've been able to use FORM based authentication and authenticate the JBoss Portal user using my a JAAS security realm that uses module/password stacking. Now, I want to move away from using j_security_check but still use the login modules and my security realm.

I made the changes to web.xml to comment out the security constraints and roles, and added a filter that explicitly calls LoginContext and uses the security realm. However, I can't get this to work as I get ClassCast and other Exceptions which I am sure are related to missing principals. I'ven't modified the login modules one bit, so what could cause this?

Am I missing a step or two, in moving away from FORM-based authentication?

1. Re: Moving away JBoss Portal from FORM-based authentication

soshah Aug 2, 2007 12:33 PM (in response to kpalania)

kpalania-

For better integration with JAAS I would recommend using a Tomcat Valve instead of a Servlet Filter

Thanks
Actions
2. Re: Moving away JBoss Portal from FORM-based authentication

kpalania Aug 2, 2007 12:52 PM (in response to kpalania)

ok, will look into that. any pointers/examples?

also, for now, do you know why using a filter wouldn't work? the principals don't seem to be set. if i keep everything else the same and use my security realm with the form-based authentication, things work fine.
Actions
3. Re: Moving away JBoss Portal from FORM-based authentication

kpalania Aug 6, 2007 1:01 PM (in response to kpalania)

ok, will look into that. any pointers/examples?

also, for now, do you know why using a filter wouldn't work? the principals don't seem to be set. if i keep everything else the same and use my security realm with the form-based authentication, things work fine.
Actions
4. Re: Moving away JBoss Portal from FORM-based authentication

kpalania Aug 6, 2007 1:03 PM (in response to kpalania)

The "portal.principal" session attribute is not set to the authenticated user, in my case, and that is what is causing the problem.

I have 2 apps, running in JBoss and the custom login module implementation code is part of a shared library used by both these apps. However, the session is different for these 2 apps, and hence, the authenticated user doesn't seem to be set in the session for the 2nd app. Does this make sense, and is this a JBoss bug??

Is there a workaround?
Actions
5. Re: Moving away JBoss Portal from FORM-based authentication

kpalania Aug 6, 2007 5:33 PM (in response to kpalania)

Related thread:
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4071378#4071378
Actions

Go to original post