JBoss 7.1.1 Webservice programatic JAAS authentication.
dragos.n Oct 5, 2012 3:04 AMHi,
First of all please excuse my english and if I posted into wrong place please drive me to the right place.
I have a simple POJO as a webservice something like that that is mapped to, lets say /public/authenticate :
WebService @SOAPBinding(style = SOAPBinding.Style.DOCUMENT) public class AuthWS{ @WebMethod public boolean doAuthenticate(String securityToken) { .... } }
This webservice doesn't requre authentication and is not a protected resource.
I do have other private webservices mapped to path : /private/ws/*;
For the moment I use a security-domain that has a Database login module setup. It works fine, but user first needs to authenticate trought a web form based that makes a post request to /j_security_check. Only after this step user can use other private webservices.
I want to perform a programatically authentication after client calls this doAuthenticate method. So that client to be able to invoke other /private/ws/* webservice methods.
I'll type what I want to achieve:
WebService @SOAPBinding(style = SOAPBinding.Style.DOCUMENT) public class AuthWS{ @WebMethod public boolean doAuthenticate(String securityToken) { SomeSecurityManager manager= SomeSecurityManager.getDefaultManager() Map<String,Object> map = new HashMap<String, Object>(); map.put("MY_CUSTOM_SECURITY_TOKEN",securityToken); manager.doLogin(map); // after webservice method returns, client should now be able to invoke other private webservice // this means that the manager should associate with this session an authenticated user. // in order that authorization to work. } }
And my CustomLoginModule :
class CustomLogModule implements LoginModule { ... public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { // store what's needed } public boolean login(){ // get securityToken send from the SomeSecurityManager and validate it. // get user information from that token and store into Subject object. } }
And in my CustomLoginModule that implements JAAS LoginModule to check that securityToken with a custom logic, verify if it right signed with a public key for example. That securityToken contains information about principal.
If you need more details, feel free to ask.
Thanks.