1 Reply Latest reply on Jan 19, 2011 11:53 PM by Gaurav Agarwal

    JBoss 6 custom web login

    green pepper Newbie



      This probably is an old topic, but since I haven't found a good solution on the net, I am bringing it up again.


      I am exploring JBoss security and trying to figure out a good AAA (authentication, authorization, auditing) design for our application.


      Initially, I plan to use the container managed security, i.e. the JEE standard role based security. However, I encountered a hurdle that the users in our system is not uniquely identified by username. Specifically, to login a user, our application needs

      (IdA, idB, idC...) + password


      The JEE standard form based authentication doesn't meet this requirement. Then I coded a custom JAAS login module and created a dynamic security domain in my war. The login module and related callback handlers were successfully invoked by securitycontext.login(). However, request.getRemoteUser(), request.getUserPrincipal() returns null. (Interestingly, SecurityAssociation.getPrincipal() getSubject() returns correct info) and 403 returned on accessing the role protected resources.


      Is there a way to programmatically inject info to web container security context so that request.getRemoteUser()/getUserPrincipal() are populated? So that and I just need to make a custom login module for authentication and use the JEE standard role based authorization for web and EJB.


      If this not possible in JBoss 6, what are other options I have? We are not considering using Spring, so acegi might not be an option.


      I have been struggling on this problem for a while so thank you very much for your help,