2 Replies Latest reply on Jul 18, 2012 3:53 AM by david_b

    Communicating Return Codes from a Custom Login Module

    david_b Newbie

      Hi all,

       

      I'm using a custom login module on JBoss AS 6 to support account locking after too many failed login attempts. If login fails due to a locked account I'd like to communicate this back to the Servlet to display a "your account is locked" message to the user.

       

      Unfortunately sending return codes from the module back to the servlet is proving difficult. I'm attempting to set an attribute on the session in the login module and retrieve this in the servlet, but the attribute is never present.

       

      Any idea why the session attribute isn't available? Is there a better way to communicate return codes back from a custom login module?

       

      My login module code:

      public class LockingDatabaseServerLoginModule extends DatabaseServerLoginModule
      {
          @Override
          public boolean login() throws LoginException
          {
              String[] info = getUsernameAndPassword();
              String username = info[0];
        
              if( isAccountLocked( username ) )
              {
                  // Add locked attribute to the session object
                  HttpServletRequest request;
                  try
                  {
                      request = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
                      request.setAttribute("accountlocked", true);
                  }
                  catch (PolicyContextException e)
                  {
                      e.printStackTrace();
                  }           
                              
                  throw new AccountLockedException();
              }
      
              /* snip */
          }
      }
      

       

       

      My servlet code:

      public class LoginServlet extends HttpServlet
      {
           public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
           { 
              String username = request.getParameter("j_username").toLowerCase();
              String password = request.getParameter("j_password");
               
              try
              {
                  request.login(username, password);
              }
              catch (ServletException e)
              {
                  // Check the locked attribute on the session
                  Object attrib = request.getSession().getAttribute("accountlocked");
      
                 // ***attrib is always null at this point***
      
              }
              
              /* snip */ 
          }
      }
      

       

       

      Any help would be greatly appreciated.

       

      Thanks

      Dave