5 Replies Latest reply on Jan 29, 2010 9:48 AM by atijms

    WebAuthentication only authenticates for a single request?

    plukh
    plukh May 25, 2009 11:16 AM

      I'm trying to implement programmatic Web login on JBoss 5.0.1 GA. After I made my custom login module working, I ran into the following issue. When I log the user in (by using WebAuthentication.login()), all user-related methods (such as getRemoteUser and isUserInRole) work correctly. On next request, however, it seems like the association is lost - getUserPrincipal/getRemoteUser return null, etc.

      I know that with form-based auth, once security check is triggered and user is logged in, it remains logged-in until the session expires. Why isn't that so with programmatic login? Is this something I'm doing wrong on my end, or is that how WebAuthentication is supposed to work?

      • 4129 Views
      • Tags:
        • 1. Re: WebAuthentication only authenticates for a single reques
          mjdinsmore
          mjdinsmore Jun 18, 2009 9:30 PM (in response to plukh)

          After you get the valid login, stick the username and password into the session and then have the filter validate that on every subsequent request into the web server.

          It doesn't get put into the http request session automagically, you gotta make it happen.

            • Actions
          • 2. Re: WebAuthentication only authenticates for a single reques
            mjdinsmore
            mjdinsmore Jun 18, 2009 9:36 PM (in response to plukh)

            Sorry, rereading what I wrote and it doesn't make sense. The Principal can be got from the request after successful authentication by calling

            request.getPrincipal()

            After successful authentication Principal is cached till the expiry of HttpSession -- no need for extra authentication till session expires.

            But if you have other special requirements like preventing multiple sign on from different clients and such, then you'd have to to some work.

              • Actions
            • 3. Re: WebAuthentication only authenticates for a single reques
              henk53
              henk53 Jan 28, 2010 2:49 PM (in response to mjdinsmore)

              mjdinsmore wrote:

               

              Sorry, rereading what I wrote and it doesn't make sense.

               

              It indeed doesn't make sense, yet I'm having the same problem. Everything seems to work fine. The security context is even propagated correctly to the EJB container if I call an EJB in the same request, but in the next request all authentication info seems to be gone.

               

              I'm using Jboss AS 5.1 and trying this is a very simple app with 1 page and 2 classes.

                • Actions
              • 4. Re: WebAuthentication only authenticates for a single reques
                atijms
                atijms Jan 29, 2010 8:35 AM (in response to henk53)

                This is a common problem in Jboss AS 5.1.

                 

                If you look better at the sesison (using a debugger) you'll find that the session object internally actually does remember the login, but it's just the request object that isn't updated with this knowledge. If I'm not mistaken, EJBs also remember that you're still logedin, i.e. the security context still propagates correctly to the EJB layer, even if the request.getUserPrincipal method is already returning null.

                  • Actions
                • 5. Re: WebAuthentication only authenticates for a single reques
                  atijms
                  atijms Jan 29, 2010 9:48 AM (in response to atijms)

                  After digging a little bit further into this, it appears that the request object only gets updated with the login data, if you have 'some' security-constraint in your web.xml. The security constraint doesn't have to make sense though. It can be a completely bogus configuration; it just has to be there.

                   

                  E.g. I used the following for a project which doesn't make use of container declarative security for pages, but for which it's still necessary to have the security context in EJBs and where backing beans inspect request.isCallerInRole manually.

                   

                  I added the following to web.xml:

                   

                          <security-role>
             <role-name>nobody</role-name>
        </security-role>     
     <security-constraint>
          <web-resource-collection>
               <web-resource-name>dontexist</web-resource-name>
               <description>A pattern that does not exist</description>
               <url-pattern>/does_not_exist/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
               <description>Does not exist</description>
               <role-name>nobody</role-name>
          </auth-constraint>
     </security-constraint>
          
     <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>MyRealm</realm-name>
     </login-config>

                   

                  After having added this to web.xml, requesting a page again after a programmatic login succesfully returns the principal from the request object.

                    • Actions