0 Replies Latest reply on Sep 27, 2006 3:53 PM by Kevin Johnson

    Container-managed Portal Security

    Kevin Johnson Newbie


      We are using container-managed security defined in the web-inf/web.xml file and the server's login-config.xml file. The validation uses LDAP/Active Directory and is successful. However we continue to have problems with the authentication being visible through the portal. We cannot retrieve the user information through the request object when it is referenced through the portal, but it is successful when referenced directly.

      An example:

      We apply container managed authentication to "/*" which is everything in the app server and require authentication against the "portal" security realm. The attempt to access "http://localhost:8080/portal/myPortal" results in the popup of a generic login window with username and password fields. Filling in LDAP credentials works and causes display of the portal index page.

      We have modified the portlet2Description.jsp to print the username using "request.getRemoteUser()" which should print the container's authenticated user. When rendered by the portlet (http://localhost:8080/portal/myPortal/portlet2), the username is null.
      When rendered directly by accessing http://localhost:8080/myportal/portlets/portlet2/portlet2Description.jsp, it is the correct LDAP username.

      Has anyone seen this or have any ideas?

      Windows XP SP2
      JBoss Portal 2.2.1SP3 Bundle (4.0.4GA)

      The other issue we're seeing is the rendering of the portlet page before the security constraint is applied. Upon initial login, the index.jsp prints information to the log from the doView method before the login popup appears. There is a security constraint applied to "/*" in the portal/WEB-INF/web.xml file and also a security constraint on the portlet instance in the portal/WEB-INF/portal-object.xml file. Hitting "Cancel" on the login still displays the portlet page with only minor problems (images do not appear).