9 Replies Latest reply on Jun 17, 2003 9:43 AM by Sean Radford

    Example of a servlet based loging via JAAS

    Jack Brell Newbie

      Can someone post an example of a servlet login to JAAS using a form based userid and password?

      Thanks,

      Jack

        • 1. Re: Example of a servlet based loging via JAAS
          Daniel Hinojosa Master

          The answer you will get is that you don't do it though code. You it through your web.xml with entries like this:

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Employee Protected Web</web-resource-name>
          The following are protected services only accessable by employees
          <url-pattern>/Business/*</url-pattern>
          <url-pattern>/Employee/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
          <role-name>employee</role-name>
          </auth-constraint>
          <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
          </security-constraint>
          <login-config>
          <auth-method>FORM</auth-method>
          <realm-name>MyApp Realm</realm-name>
          <form-login-config>
          <form-login-page>/Login/Login.jsp</form-login-page>
          <form-error-page>/Error/LoginError.jsp</form-error-page>
          </form-login-config>
          </login-config>

          <security-role>
          <role-name>employee</role-name>
          </security-role>

          This ensures that for every web service within that URL context will have to go to Login.jsp to get authenticated.

          The documentation on this JBoss site is exceptional for more info.
          Danno

          • 2. Re: Example of a servlet based loging via JAAS
            Jack Brell Newbie

            Thanks Danno,

            I looked through the old archives but I am still missing something. What should the userid and password fields of the login.jsp be named. What action should the for do (GET, POST, to where)?



            Thanks,

            Jack



            > The answer you will get is that you don't do it
            > though code. You it through your web.xml with
            > entries like this:
            >
            > <security-constraint>
            >
            >
            >
            > <web-resource-collection>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <web-resource-name>Employee
            > eb-resource-name>Employee Protected
            > Web</web-resource-name>
            >
            >
            >
            >
            >
            >
            >
            >
            > The
            > The following are
            > n>The following are protected services only
            > accessable by employees
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <url-pattern>/Business/*</url-pattern>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <url-pattern>/Employee/*</url-pattern>
            >
            >
            >
            >
            > </web-resource-collection>
            > <auth-constraint>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <role-name>employee</role-name>
            > </auth-constraint>
            > <user-data-constraint>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <transport-guarantee>NONE</transport-guarantee>
            >
            > </user-data-constraint>
            > </security-constraint>
            > <login-config>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <auth-method>FORM</auth-method>
            > <realm-name>MyApp
            > <realm-name>MyApp Realm</realm-name>
            > <form-login-config>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <form-login-page>/Login/Login.jsp</form-login-page>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <form-error-page>/Error/LoginError.jsp</form-error-pa
            > e>
            > </form-login-config>
            > </login-config>
            >
            > <security-role>
            >
            >
            >
            >
            >
            >
            >
            >
            >
            > <role-name>employee</role-name>
            > </security-role>
            >
            > This ensures that for every web service within that
            > URL context will have to go to Login.jsp to get
            > authenticated.
            >
            > The documentation on this JBoss site is exceptional
            > for more info.
            > Danno

            • 3. Re: Example of a servlet based loging via JAAS
              Juraj Vasko Newbie

              The username field must be named "j_username" the password "j_password" and the action for the form must be "j_securitycheck" so the form could look like

              <form action="j_securitycheck" method="POST">
              <input type="text" name="j_username"><br>
              <input type="password" name="j_password"><br>
              <input type="submit">
              </form>
              


              For more info see servlet 2.2 specification at http://java.sun.com/products/servlet/download.html

              • 4. Re: Example of a servlet based loging via JAAS
                Jack Brell Newbie

                Thanks,

                One more question. How do you logout in this scenario? How would you retrieve the login context, or is there another way.

                - Jack

                • 5. Re: Example of a servlet based loging via JAAS
                  Paul Austin Newbie

                  The easiest way to do this is to invalidate the session.

                  use the following in your servlet (for jsp's there is just a session variable)

                  request.getSession().invalidate();

                  Paul

                  • 6. Re: Example of a servlet based loging via JAAS
                    Ronald Brindl Newbie

                    I think it has to be j_security_check (mind the underscore!) for the form-action. (at least thats what i've used all the time and it worked)

                    • 7. Re: Example of a servlet based loging via JAAS
                      Nathaniel Auvil Newbie

                      what if you have more than a simple user name and password? Like a SSN, username, and password? As far as I can tell, the Jaas implementation is not flexible in this regard...if i can not invoke the login external to the server's invocation from the deployment descriptor, then how could it ever handle a more complex login such as mine? This is a serious design limitation.

                      I should be able to invoke the login method from a servlet.


                      • 8. Re: Example of a servlet based loging via JAAS
                        Sean Radford Novice

                        Does anyone have an answer to the above (how to invoke your own login process for the web layer?)

                        Regards,

                        Sean

                        • 9. Re: Example of a servlet based loging via JAAS
                          Sean Radford Novice

                          Well, I've done some digging in the current code and it looks like you can't (without modifying Jetty) - though maybe when they have AOP working in Jetty you might.

                          What needs to happen is the ability to register your own Authenticators (org.mortbay.http.SecurityConstraint.Auththenticator). And then in org.mortbay.jetty.servlet.WebApplicationContext any registered custom Authenticators to be set for subsequent use.

                          This would then be against the J2EE specs of course.

                          Regards,

                          Sean