I have a requirement to update  web login functionality. The original system  allowed a user to have a single password. The authorisation used the built in j_security_check, with standard LoginModule and CallbackHandler classes. All of this worked perfectly well.

The additional requirement is that the user can have many login credentials -passwords for now, but may add other types in future.

The org.jboss.security.auth.callback.UsernamePasswordHandler constructor allows the credential type to be an Object.Therefore it seemed reasonable to use this with an appropriate custom LoginModule to handle the specific credential type - a SubmittedCredential class which wraps the submitted password and the reference password identifier.

In the login.jsp form, the ACTION points to a Servlet - j_security_check is not usable because the credential is not a simple password.

This excerpt from the PasswordLoginServlet.doPost shows my first attempt at the login.

{code}

            // This object wraps a password String, with a Long id (of the Entity that stores the reference password)
            SubmittedCredential credential = new SubmittedCredential(submittedPassword, credentialId);
           
            // using standard org.jboss.security.auth.callback.UsernamePasswordHandler with custom LoginModule
            UsernamePasswordHandler handler = new UsernamePasswordHandler(userName, credential);         
            LoginContext lc = new LoginContext(APPLICATION_POLICY, handler);
            lc.login();

{code}

This seemed to work perfectly well: The PasswordLoginModule extracted the password and credentialId from the SubmittedCredential, ran the query to get the reference password, verified the submitted password, ran the roles query etc..

The only problem is that the web container is not aware of the login, and redirects back to the login.jsp. Further research indicated that I should use the WebAuthentication class. The following excerpt shows the modified login code:

{code}

             // This object wraps a password String, with a Long id (of the Entity that stores the reference password)
            SubmittedCredential credential = new SubmittedCredential(submittedPassword, credentialId);

            log.debug("do WebAuthentication");
            WebAuthentication webA = new WebAuthentication();
            status = webA.login(userName, credential);
 
            if(status == false){
                log.debug("WebAuthentication failed ");
                resp.sendRedirect("login-error.jsp");
                return;
            }

{code}

The login method returns false, and the login-error.jsp is displayed. The debug is not very informative.

DEBUG [com.ecebs.common.accesscontrol.login.password.PasswordLoginServlet] do WebAuthentication
DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.web.tomcat.security.login.WebAuthentication, false)
DEBUG [org.apache.catalina.loader.WebappClassLoader]   Searching local repositories
DEBUG [org.apache.catalina.loader.WebappClassLoader]     findClass(org.jboss.web.tomcat.security.login.WebAuthentication)
DEBUG [org.apache.catalina.loader.WebappClassLoader]   Delegating to parent classloader at end: java.net.FactoryURLClassLoader@7df42c
DEBUG [org.apache.catalina.loader.WebappClassLoader]   Loading class from parent
DEBUG [com.ecebs.common.accesscontrol.login.password.PasswordLoginServlet] WebAuthentication failed

Casting credential to Object made no difference. I also tried it with a call to login with:

{code}
               webA.login(userName, submittedPassword);

{code}

This did initiate the authentication sequence - which obviously failed. It appears that login() only works with a String credential, although the method
signature is:

{code}

public boolean login(String username,  Object credential)

{code}

Have I misssed something? Is it possible to login with an Object type credential?

Thanks