Basically I'm using a custom Jaas LoginModule to authenticate my web application (my portlet) in a Tomcat Valve. Once authenticated, the Jaas Subject is propagated to a remote JBoss application server.
I have already been using this mechanism successfully with a simple web application (out of a portal context), but I can't make it within my JBoss portal context since after the authentication succeed, I am redirected to the Portal login page.
Following are the details of my JBoss Portal configuration:
1- I added a SSOValve
This valve does something like:
lc = new LoginContext("gubpm-server", subject, new HttpAuthCallbackHandler(httpServletRequest)); lc.login();
2- The "gubpm-server" configuration is defined in the login-config.xml file as:
<application-policy name="gubpm-server"> <authentication> <login-module code="ch.ne.gubpm.security.auth.SSOLoginModule" flag="required" /> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> <!-- Any existing security context will be restored on logout --> <module-option name="restore-login-identity"> true </module-option> </login-module> </authentication> </application-policy>
3- The SSOLoginModule perform a simple authentication which always succeed and produces a Subject this way:
subject.getPrincipals().add(userPrincipal); // user subject.getPublicCredentials().add(password); // password subject.getPrincipals().add(new GUBPMPrincipal("Authenticated")); // role
And a GUBPMPrincipal implements java.security.Principal and only has a name attribute
4- I did not add any security constrainst to my web application. I only defined in the jboss-web.xml file:
to propagate my credentials to the remote JBoss application server
Apparently, even with no security check made on my web pages, the JBoss portal security is called and don't let me pass. I tried with credentials that would normally match the portal administrator profile (userId=admin, password=admin, role=Authenticated) with no success.
I would like to keep this mechanism since I know it will be ok to authenticate on the remote JBoss server that way (once I'm authorized by JBoss portal!)
All I need is to skip this redirection to JBoss Portal login page. I don't care login in the portal for this application.
Anybody knows how to skip this security checking?
One way of achieving this could be to disable the Portal security, but I could not find a clean way of doing it without breaking the entire portal.
Thank you very much for your help!