5 Replies Latest reply on Jul 17, 2011 5:20 PM by henk de boer

    custom authentication module?

    herb Newbie

      How to implement a custom authentication module in AS 7?


      Background: I have several webapps running on Tomcat. I have an external authentication system (running outside Tomcat) which authenticates users and also returns the users roles granted by the authentication system. I wrote a Tomcat valve which speaks with the (external) authentication system. If the user cannot be authenticated, the valve blocks the request, otherwise this valve creates a Principal instance, which can be accessed in the application (request.getUserPrincipal()).


      Now I want to switch to AS 7 with my apps. How can I add such functionality to AS 7?

      (I tried Glassfish and wrote a JASPIC-JSR196 module, but AS 7 does not support JSR196. So is there a way in AS7 to do that?)

        • 1. Re: custom authentication module?
          Darran Lofthouse Master

          How does the authentication actually occur? 

          Is there something special in the HTTP messages or is it still a form of username/password authentication?

          How do you authenticate with your remote system?  Is it something like a database/ldap or something more specific?

          • 2. Re: custom authentication module?
            herb Newbie

            My question is: Is in AS7 an interface where custom authentication stuff can be performed?


            My special case is: I have an authentication server, which acts as reverse proxy (and it sits before the app server). So only authenticated requests come to the app server. So it is not the problem to prohibit non autheticated users to access app server. The problem is, that each authenticated user has some properties (e.g. belongs to which department, has some name, has some roles, ...). And I want to access these properties in a JEE way. In my tomcat valve I put these properties in a custom Principal. This principal can be accessed with JEE API calls (request.getUserPrincipal()) in the web app. request.isUserInRole() also works fine, so a developer can use declarative security with the standard JEE means.

            => Is there a way to do this in AS7?

            • 3. Re: custom authentication module?
              Darran Lofthouse Master

              Do you have any need for this to be propagaed on to an EJB tier at all or is it fine for this to just be visible in the web tier?

              • 4. Re: custom authentication module?
                herb Newbie

                Actually I need it in the web tier. (Becaue we don't already have any EJBs, because we migrating from tomcat - but in future we will use EJB, and then we need it in the EJB tier.)


                Whats the difference?


                Do you have a solution for one of the both?

                • 5. Re: custom authentication module?
                  henk de boer Master

                  I don't have a solution for this, but if you do a real container authentication, then it should automatically propagate to the EJB modules. E.g. if request.getUserPrincipal works, the corresponding call should also work inside an EJB.


                  For this question, maybe the EJB issue is not that relevant and the focus should be on getting this request.getUserPrincipal to work. JBoss AS 6 and before had a very elaborate system for plugging in Login Modules (either your own or ones provided by JBoss), so I guess this really should be supported in JBoss AS 7 as well.