-
1. Re: Example of a servlet based loging via JAAS
dhinojosa Aug 27, 2001 2:35 PM (in response to jbrell)The answer you will get is that you don't do it though code. You it through your web.xml with entries like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Employee Protected Web</web-resource-name>
The following are protected services only accessable by employees
<url-pattern>/Business/*</url-pattern>
<url-pattern>/Employee/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyApp Realm</realm-name>
<form-login-config>
<form-login-page>/Login/Login.jsp</form-login-page>
<form-error-page>/Error/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>employee</role-name>
</security-role>
This ensures that for every web service within that URL context will have to go to Login.jsp to get authenticated.
The documentation on this JBoss site is exceptional for more info.
Danno -
2. Re: Example of a servlet based loging via JAAS
jbrell Aug 28, 2001 12:31 PM (in response to jbrell)Thanks Danno,
I looked through the old archives but I am still missing something. What should the userid and password fields of the login.jsp be named. What action should the for do (GET, POST, to where)?
Thanks,
Jack
> The answer you will get is that you don't do it
> though code. You it through your web.xml with
> entries like this:
>
> <security-constraint>
>
>
>
> <web-resource-collection>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <web-resource-name>Employee
> eb-resource-name>Employee Protected
> Web</web-resource-name>
>
>
>
>
>
>
>
>
> The
> The following are
> n>The following are protected services only
> accessable by employees
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <url-pattern>/Business/*</url-pattern>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <url-pattern>/Employee/*</url-pattern>
>
>
>
>
> </web-resource-collection>
> <auth-constraint>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <role-name>employee</role-name>
> </auth-constraint>
> <user-data-constraint>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <transport-guarantee>NONE</transport-guarantee>
>
> </user-data-constraint>
> </security-constraint>
> <login-config>
>
>
>
>
>
>
>
>
>
> <auth-method>FORM</auth-method>
> <realm-name>MyApp
> <realm-name>MyApp Realm</realm-name>
> <form-login-config>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <form-login-page>/Login/Login.jsp</form-login-page>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <form-error-page>/Error/LoginError.jsp</form-error-pa
> e>
> </form-login-config>
> </login-config>
>
> <security-role>
>
>
>
>
>
>
>
>
>
> <role-name>employee</role-name>
> </security-role>
>
> This ensures that for every web service within that
> URL context will have to go to Login.jsp to get
> authenticated.
>
> The documentation on this JBoss site is exceptional
> for more info.
> Danno -
3. Re: Example of a servlet based loging via JAAS
lothar Aug 28, 2001 5:16 PM (in response to jbrell)The username field must be named "j_username" the password "j_password" and the action for the form must be "j_securitycheck" so the form could look like
<form action="j_securitycheck" method="POST"> <input type="text" name="j_username"><br> <input type="password" name="j_password"><br> <input type="submit"> </form>
For more info see servlet 2.2 specification at http://java.sun.com/products/servlet/download.html -
4. Re: Example of a servlet based loging via JAAS
jbrell Aug 31, 2001 9:12 AM (in response to jbrell)Thanks,
One more question. How do you logout in this scenario? How would you retrieve the login context, or is there another way.
- Jack -
5. Re: Example of a servlet based loging via JAAS
p_d_austin Aug 31, 2001 9:24 AM (in response to jbrell)The easiest way to do this is to invalidate the session.
use the following in your servlet (for jsp's there is just a session variable)
request.getSession().invalidate();
Paul -
6. Re: Example of a servlet based loging via JAAS
rbrindl Sep 16, 2001 6:44 PM (in response to jbrell)I think it has to be j_security_check (mind the underscore!) for the form-action. (at least thats what i've used all the time and it worked)
-
7. Re: Example of a servlet based loging via JAAS
pitdingo Sep 17, 2001 4:10 PM (in response to jbrell)what if you have more than a simple user name and password? Like a SSN, username, and password? As far as I can tell, the Jaas implementation is not flexible in this regard...if i can not invoke the login external to the server's invocation from the deployment descriptor, then how could it ever handle a more complex login such as mine? This is a serious design limitation.
I should be able to invoke the login method from a servlet. -
8. Re: Example of a servlet based loging via JAAS
sradford Jun 15, 2003 6:31 AM (in response to jbrell)Does anyone have an answer to the above (how to invoke your own login process for the web layer?)
Regards,
Sean -
9. Re: Example of a servlet based loging via JAAS
sradford Jun 17, 2003 9:43 AM (in response to jbrell)Well, I've done some digging in the current code and it looks like you can't (without modifying Jetty) - though maybe when they have AOP working in Jetty you might.
What needs to happen is the ability to register your own Authenticators (org.mortbay.http.SecurityConstraint.Auththenticator). And then in org.mortbay.jetty.servlet.WebApplicationContext any registered custom Authenticators to be set for subsequent use.
This would then be against the J2EE specs of course.
Regards,
Sean