8 Replies Latest reply on Feb 20, 2002 3:12 AM by Mike Cannon-Brookes

    Manual Servlet login failure

    Nathaniel Auvil Newbie

      If i do a manual login from a servlet, i can see from my debug println statements that my user was authenticated. However, if i do a request.getCallerPrincipal() on the next page, it returns NULL.

      Shouldn't there have been a Principal object created when I logged in successfully?

        • 1. Re: Manual Servlet login failure
          Scott Stark Master

          Post the testcase code.

          • 2. Re: Manual Servlet login failure
            Nathaniel Auvil Newbie


            i call this twice, once to login, then again to see the Principal object.

            package org.jboss.docs.jaas.howto;
            
            import java.io.IOException;
            import java.io.PrintWriter;
            import java.security.Principal;
            import javax.naming.Context;
            import javax.naming.InitialContext;
            import javax.naming.NamingException;
            import javax.servlet.ServletConfig;
            import javax.servlet.ServletException;
            import javax.servlet.http.HttpServlet;
            import javax.servlet.http.HttpServletRequest;
            import javax.servlet.http.HttpServletResponse;
            import javax.servlet.http.HttpSession;
            
            import javax.security.auth.login.LoginContext;
            import javax.security.auth.login.LoginException;
            import javax.security.auth.*;
            
            import org.jboss.docs.jaas.howto.Session;
            import org.jboss.docs.jaas.howto.SessionHome;
            
            
            
            public class LoginServlet extends HttpServlet
            {
             private boolean firstTime= true;
            
            
             protected void processRequest( HttpServletRequest request, HttpServletResponse response ) throws ServletException, IOException
             {
            
             //---call this servlet two times just for testing purposes
             if( firstTime )
             {
             String alias= request.getParameter( "alias" );
             String username= request.getParameter( "j_username" );
             String password= request.getParameter( "j_password" );
            
             System.out.println( "...alias= " + alias );
             System.out.println( "...userName= " + username );
             System.out.println( "...password= " + password );
            
            
             try
             {
             AppCallbackHandler handler= new AppCallbackHandler( username, password.toCharArray() );
             LoginContext lc = new LoginContext( "example1", handler );
             System.out.println("....Created LoginContext");
             lc.login();
            
            
            
             //this.callEcho( request, response );
            
             Subject subject = lc.getSubject();
             System.out.println( "....subject= " + subject );
            
             //response.sendRedirect( "index.html" );
            
            
             }
             catch (LoginException le)
             {
             System.out.println("....Login failed");
             le.printStackTrace();
            
             response.sendRedirect( "LoginForm.html" );
             }
            
             firstTime= false;
            
             }
            
            
             response.setContentType("text/html");
             PrintWriter out = response.getWriter();
             out.println("<html>");
             out.println("<head><title>Just logged in....</title></head>");
             out.println("<h1>Logged in...</h1>");
            
             out.println( "<body><pre>" );
            
            
             Principal principal= request.getUserPrincipal();
             if( principal != null )
             {
             out.println( "request.getUserPrincipal().getName()= " + request.getUserPrincipal().getName() );
             out.println( "request.isUserInRole( 'echo' )= " + request.isUserInRole( "echo" ) );
             out.println( "request.isUserInRole( 'Echo' )= " + request.isUserInRole( "Echo" ) );
             }
             else
             {
            
             out.println( "-----> request.getUserPrincipal() was NULL!!!" );
             }
            
            
             out.println("</pre></body></html>");
             out.close();
             }
            
             protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException
             {
             processRequest(request, response);
             }
            
             protected void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException
             {
             processRequest(request, response);
             }
            
            }
            
            


            • 4. Re: Manual Servlet login failure
              Nathaniel Auvil Newbie

              i just tried the jboss 2.4.2 and same thing. request.getCallerPrincipal() is null after i successfully do a login()

              • 5. Re: Manual Servlet login failure
                Paul Austin Newbie

                What you are doing here is not actually login to the web container you are only login to the current thread to access ejb's. If you want to login to the web container to keep between sessions you must login via the servlet j_security_check with the j_username and j_password. The following should do this from within a servlet.

                String path =new StringBuffer("j_security_check?j_username=").append(username).append("&j_password=").append(password).toString();
                getServletConfig().getServletContext().getRequestDispatcher(path).include(request, response);

                And then redirect to the page you want the user to see.

                Paul

                • 6. Re: Manual Servlet login failure
                  Nathaniel Auvil Newbie


                  i need to be able to control the entire login process as i have more than a simple two value authentication mechanism than the inflexible j_security_check allows.

                  I need a mechanism to allow for 'n' authentication values through a web browser. I dont understand why the container does not contain a Principal when I do a manual login; the configured login modules get executed so the container is processing it.

                  • 7. Re: Manual Servlet login failure
                    Nathaniel Auvil Newbie


                    > What you are doing here is not actually login to the
                    > web container you are only login to the current
                    > thread to access ejb's. If you want to login to the
                    > web container to keep between sessions you must login
                    > via the servlet j_security_check with the j_username
                    > and j_password. The following should do this from
                    > within a servlet.
                    >


                    > String path =new
                    > StringBuffer("j_security_check?j_username=").append(us
                    > rname).append("&j_password=").append(password).toStrin
                    > ();
                    > getServletConfig().getServletContext().getRequestDispa
                    > cher(path).include(request, response);

                    this does not work. In fact, i read in another newsgroup that this sort of thing is not allowed.

                    • 8. Re: Manual Servlet login failure
                      Mike Cannon-Brookes Newbie

                      Is there any update on this? It seems completely ridiculous that you can't login the principal from the webserver, and have the same login context propagated to the EJB layer (without using the j_username stuff).

                      I too have exactly the same scenario as described here now. In a ServletFilter I login find through a LoginContext, but request.getRemoteUser() always returns null still. (Using JBoss 2.4.4/Catalina 4.0)

                      Any update Scott / Luke? How can I make this work?

                      -mike