1 Reply Latest reply on Apr 18, 2013 1:09 PM by Cristian Duicu

    Programatic web authentication with custom security domain on JBoss 7.1.1 Final

    Cristian Duicu Newbie

      Hi,

      I have seen similar discussions here but I still could not get an answer to my problem. I have a custom login module configured in a security domain which works fine via JNDI. I want to login from web application using the same. I think I am missing something in configuration and I would very much apreciate some help.

       

      Here is the configuration in standalone.xml:

      Realm:

      <security-realm name="MyRealm">
           <authentication>
                <jaas name="AMStub"/>
           </authentication>
      </security-realm>
      
      

       

      Security Domain:

      <security-domain name="AMStub" cache-type="default">
           <authentication>
                <login-module code="com.example.AMStubLoginModule" flag="required" module="com.example"/>
           </authentication>
      </security-domain>
      

       

      I then have a simple web application where I want to implement the authentication programatically via a filter. Here is web.xml:

       

      <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
                version="2.5">
                <display-name>test-web</display-name>
                <servlet>
                          <servlet-name>TestServlet</servlet-name>
                          <servlet-class>com.proto.web.TestServlet</servlet-class>
                          <load-on-startup>1</load-on-startup>
                </servlet>
                <servlet-mapping>
                          <servlet-name>TestServlet</servlet-name>
                          <url-pattern>/test/</url-pattern>
                </servlet-mapping>
      
                <servlet>
                          <servlet-name>SecurityServlet</servlet-name>
                          <servlet-class>com.proto.web.SecurityServlet</servlet-class>
                          <load-on-startup>1</load-on-startup>
                </servlet>
                <servlet-mapping>
                          <servlet-name>SecurityServlet</servlet-name>
                          <url-pattern>*.auth</url-pattern>
                </servlet-mapping>
      
            <filter>
                          <filter-name>SecurityFilter</filter-name>
                          <filter-class>com.proto.web.ServletSecurityFilter</filter-class>
                          <init-param>
                                    <param-name>login_page</param-name>
                                    <param-value>/loginForm.jsp</param-value>
                          </init-param>
                </filter>
                <filter-mapping>
                          <filter-name>SecurityFilter</filter-name>
                          <servlet-name>TestServlet</servlet-name>
                </filter-mapping>
      </web-app>
      

       

      I also have a jboss-web.xml in WEB-INF directory with this content:

      <jboss-web>
        <security-domain>AMStub</security-domain>
      </jboss-web>
      

       

      In the ServletSecurityFilter the code looks like this:

      .....
      String userId = request.getParameter("j_username");
      String passwd = request.getParameter("j_password");
      try {
           request.login(userId, passwd);
           logger.info("user " + userId + " logged in successfully");
           ......
      } catch (ServletException e) {
           logger.info("failed authenticating user " + userId, e);
      }
      ...
      

       

      But at runtime I get the following exception:

      09:43:24,483 INFO  [com.sigma.proto.web.SecurityServlet] (http--127.0.0.1-8080-1) failed authenticating user test: javax.servlet.ServletException: No authenticator available for programmatic login
                at org.apache.catalina.connector.Request.login(Request.java:3254) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1082) [jbossweb-7.0.13.Final.jar:]
                at com.proto.web.SecurityServlet.processRequest(SecurityServlet.java:71) [classes:]
                at com.proto.web.SecurityServlet.doPost(SecurityServlet.java:41) [classes:]
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
      

       

      NOTE: Although it says that the question is assumed answered, it is not .... I just don't know how to revert that.

        • 1. Re: Programatic web authentication with custom security domain on JBoss 7.1.1 Final
          Cristian Duicu Newbie

          I got this working, although the solution is rather strange to me. The fix was in the web.xml:

           

          <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"

                    version="2.5">

                    <display-name>test-web</display-name>

           

                    <servlet>

                              <servlet-name>TestServlet</servlet-name>

                              <servlet-class>com.proto.web.TestServlet</servlet-class>

                              <load-on-startup>1</load-on-startup>

                    </servlet>

                    <servlet-mapping>

                              <servlet-name>TestServlet</servlet-name>

                              <url-pattern>/test/</url-pattern>

                    </servlet-mapping>

           

                    <servlet>

                              <servlet-name>SecurityServlet</servlet-name>

                              <servlet-class>com.proto.web.SecurityServlet</servlet-class>

                              <load-on-startup>1</load-on-startup>

                    </servlet>

                    <servlet-mapping>

                              <servlet-name>SecurityServlet</servlet-name>

                              <url-pattern>*.auth</url-pattern>

                    </servlet-mapping>

           

             <security-constraint>

                   <web-resource-collection>

                      <web-resource-name>MyServlet</web-resource-name>

                      <url-pattern>*.whatever</url-pattern>

                   </web-resource-collection>

              </security-constraint>

           

                     <filter>

                              <filter-name>SecurityFilter</filter-name>

                              <filter-class>com.proto.web.ServletSecurityFilter</filter-class>

                              <init-param>

                                        <param-name>login_page</param-name>

                                        <param-value>/loginForm.jsp</param-value>

                              </init-param>

                    </filter>

                    <filter-mapping>

                              <filter-name>SecurityFilter</filter-name>

                              <servlet-name>TestServlet</servlet-name>

                    </filter-mapping>

            </web-app>

           

          Essentially, I created a security constraint that is not mapped to anything real in the application, but this will force JBoss to attach an authenticator to the servlet context.

          Like I said, this is very odd, but it works. Is this a but in JBoss? Is is supposed to work like this?

          1 of 1 people found this helpful