0 Replies Latest reply on Nov 15, 2012 7:39 AM by baitas

    ServiceProviderAuthenticator valve clears programmatic request.login()

    baitas

      Hello all,

       

      Using picketlink 2.1.5-FINAL and jboss 7.1.

       

      I have a project that needs to use both picketlink and a local store as authentication providers for different sets of users.

       

      In trying to fullfill the above, I built the following security domain, which i think sould do what I need:

       

       

      <security-domain name="sp" cache-type="
        <authentication>
          <login-module code="Remoting" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
          </login-module>
          <login-module code="RealmUsersRoles" flag="sufficient">
            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
            <module-option name="realm" value="ApplicationRealm"/>
            <module-option name="password-stacking" value="useFirstPass"/>
          </login-module>
          <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="sufficient">
            <module-option name="password-stacking" value="useFirstPass"/>
          </login-module>
        </authentication>
        <audit>
          <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
        </audit>
      </security-domain>
      

       

      I designed a test application with a private area that automatically triggers the picketlink to send the appropriate request to the IDP (the picketlink part is working)

       

      In order to allow a different login method, I created a login form and custom servlet that calls request.login(username,password) with credentials that are accepted by my local user store.

       

      If I remove the picketlink valve from jboss-web.xml, my custom login operates as expected. If I leave the picketlink valve, the call to request.login() succeds, but the next request will return me a null principal. From what I am seeing, I think that picketlink's valve or some other code is clearing the authentication cache, even if a valid JAAS principal exists.

       

      Is there any way to get picketlink to play well with other authentication modules?

       

      TIA