4 Replies Latest reply on Feb 6, 2003 12:41 AM by dmaclaren

    JAAS/Auth and getRemoteUser()

    rocky

      Ok... after spending all evening reading forums, docs, etc I finally have progmatic authentication working ala LoginContext.

      And... if I progmatically authenticate on the jsp side of things (not using web.xml configured login mechanism, but instead manually invoking the LoginContext.login() method within my jsp, it propagates over into my session bean such that declarative security is working for my ejbs.

      But, is it possible to get the web security to listen to that authorization? If I try to access a protected page it still tries to send me to a login page (after I've already done LoginContext.login()). Or is it just a limit to the system that there's no progmatic way to activate web.xml-based declarative security ?

        • 1. Re: JAAS/Auth and getRemoteUser()
          rocky

          Oh, forgot to mention.

          Platform is as such:
          OS: Linux
          JVM: J2SE 1.4.0_01
          App Server: JBoss 3.0.0 + Tomcat 4.0.3 (integrated bundle)

          • 2. Re: JAAS/Auth and getRemoteUser()
            kpseal

            Ah, sounds like you've got to the same point as many of us - "the wall of silence".
            http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/

            • 3. Re: JAAS/Auth and getRemoteUser()

              Hiya,

              I *think* the authenticated Subject gets stored in a Jetty/Tomcat cache, & the principal is stored in the user's session. The auth mechanism then uses this principal to check against the cache when it's security check time. It's obviously not so portable to start stuffing your subject into this cache manually.

              Luckily, the mechanism doesn't enforce POST only submission to j_security_check - so you can simply store the user/pass in the session & redirect to a protected resource. On your login page, which the interceptor will call, simply check for eg j_autologin_uname/pass and if present, remove them & do a swift redirect to j_security_check passing the values along for the ride.

              Use a sessionListener to set up your user after declarative login. eg. listen for org.mortbay.jetty.Auth to change - it's where the principal is stored in jetty. I just configure a context variable in web.xml for this, so it's fairly portable.

              • 4. Re: JAAS/Auth and getRemoteUser()
                dmaclaren

                CAn you explain this with any examples? I am using Apache/tomcat but I can relate to this is I knew nore of wht you are refering to. If you can give examples of this listener you are talking about andthe process of the redirect you used better.

                Thanks