2 Replies Latest reply on Feb 13, 2002 5:54 PM by Jonathan Leech

    JAAS and request.getUserPrincipal

    Gordon Newbie


      "Gordon" wrote:
      Is it possible, using JAAS, to verify username and password and to map roles to users so that a servlet can take advantage of declarative security in the web.xml file as well as take advantage of the request's getUserPrincipal and isUserInRole methods?

      I have had no success thus far with JBoss-2.4.4_Tomcat-3.2.3.

      I basically have a servlet to verify login using the LoginContext class. LoginContext.login() succeeds but the request's getUserPrincipal returns null and therefore isUserInRole does not work.

      If I use j_security_check to authenticate and don't use LoginContext, it works.

      Any ideas?


        • 1. Re: JAAS and request.getUserPrincipal
          Erwin Teseling Newbie


          "teseling" wrote:
          If I am correct you only login the current thread when using LoginContext instead of logon the HttpSession to the webcontainer. This means that not your HttpSession is logged in, so you can't use it furtheron in the session (any following requests).

          I also have the same problem. I hope there is a workaround, because you cannot always use j_security_check (for instance if you want to authenticate using something else then simply username & password).

          Anyone has any idea on how to use the LoginContext to logon the HttpSession at the webcontainer??

          • 2. Re: JAAS and request.getUserPrincipal
            Jonathan Leech Newbie


            "jleech" wrote:
            Using JBoss-2.4.4_Tomcat-4.0.1, you can do exactly this if you're willing to hack apart org.apache.catalina.authenticator.FormAuthenticator. This is the valve that handles form-based authentication. I changed mine so that there can be more callbacks than just username and password, and as many iterations of callbacks as necessary.