2 Replies Latest reply on Oct 31, 2001 6:10 AM by Dave Elliot

    JAAS logon from a Servlet

    Dave Elliot Newbie

      Hi all,

      We are happily using JBoss w/ JAAS to support client security to our business tier from standalone (Swing) clients (authenticating on our LDAP server).

      Our next step is to support client security from web tier servlets accessing the ejb tier. The problem with servlets as I see it is that a LoginContext will last as long as the servlet class/thread that created it (blink of an eye). How are people supporting persistent client logons to their web tiers via JAAS? Do you cache the credentials in a web session scope and re-logon for each servlet instance ??? *blah*

      Thanks for any tips ;-)

        • 1. Re: JAAS logon from a Servlet
          J. Wolfgang Kaltz Novice

          > Do you cache the credentials in a web session scope
          > and re-logon for each servlet instance ??? *blah*

          Actually you have to do it every time the servlet is called, because the servlet handles requests from different clients. But it's not so *blah* actually, because you are just doing the ClientLoginModule stuff from JBoss to bind your credentials; the JBoss server has a credential cache so it won't perform a new server-side login.

          I encapsulate this stuff in a handle class, which I store in the http session, then in any servlet code which will call ejbs, the servlet first retrieves this handle class and calls its refresh()
          From what I understand, if you use the embedded jboss-tomcat, this is done automatically and you don't have to worry about the refreshing of the credentials.

          • 2. Re: JAAS logon from a Servlet
            Dave Elliot Newbie

            > But it's not so *blah* actually, because you are just
            > doing the ClientLoginModule stuff from JBoss to bind
            > your credentials

            True enough, I hadn't connected the dots on that one...

            > if you use the embedded jboss-tomcat, this is done
            > automatically

            This would be handy...so perhaps jboss embedded tomcat can associate a LoginContext against a client session (a client session being maintained by tracking cookies/url re-writing) ?

            Thanks for the reminder re: ClientLoginModule ;-)

            Dave