0 Replies Latest reply on May 29, 2011 6:34 AM by Amir Hadi

    Web Application Authentication

    Amir Hadi Newbie

      Hi,

       

      first of all I wanted to mention that I am completly new in this community, so don't slap me if this is the wrong category for this kind of question! If this is the wrong category, I would ask the administrators to move this discussion to the right category.

       

      I need to create a demonstration web application, where Users need to authenticate them self in two steps. The best result would be to achive this authentication with JAAS.

       

      The basic two steps are:

      1. Authenticate with username and password with LDAP:
        1. User visits a website / web application but is not authenticated
        2. User is redirected to a login page and enters his username and password
        3. User credentials are validated through JAAS with an LDAP LoginModule (this actually works already) --> The user is now "half" authenticated
        4. The user receives a kind of a token / transaction number on his mobilephone. He needs to enter this token before is fully authenticated
      2. The user can access a special page, where he can enter his token
        1. The token (which is generated and stored in the first step) is validated. This can be achived through JDNI access on the directory service
        2. If the token is valid, the user is fully authenticated

       

      How would you implement that? My first idea is: I'll create a web application with two security constraints in web.xml. One for the complete protected content (url-pattern: /*) with the auth-constraint set to a role like "FullAuthenticated" and second security constraint for the token page (url-pattern: /token.jsp) with auth-constraint set to a role like "HalfAuthenticated". This would allow the user to login with his username and password and (if successfully (half) authenticated) to access the token.jsp page, but not the other protected content of the application. After his token validation, he can access the complete application.

       

      Does that sound naive / stupid / impossible or can this work? Any comments? How can I add a role (in the directory there are no roles defined) to a user in the JAAS LoginModule? How can I tell JBoss to reference the jaas.config file?

       

      Any help is much apprechiated.