from the api-doc:
public boolean isUserInRole(java.lang.String role)
Returns a boolean indicating whether the authenticated user is included in the specified logical "role". Roles and role membership can be defined using deployment descriptors. If the user has not been authenticated, the method returns false.
public java.security.Principal getUserPrincipal()
Returns a java.security.Principal object containing the name of the current authenticated user. If the user has not been authenticated, the method returns null.
Thanks, but I don't think that is what I am looking for. After I authenticate through JAAS and have a valid subject, the call getUserPrincipal() returns null, since the web container does not know about the user (remember this is the case when I am NOT calling j_security_check - if I use j_security_check, everything is fine). WebLogic offers a way to keep the Web container and the rest of the system in sync.
Does this make any sense? And thank you again for posting something - it is greatly appreciated.
i still don't get why you do not use j_security_check and set your jaas login module as the one to be used for your security domain.
could you give a business case for your specfic security requirements?
Thank you for asking and I have indeed done what you suggested. However, what I really wanted to be able to do was to give the user a simple URL to visit that would show them some information about the system and have a login form on that page (rather than a form that pops up when they try to go to a protected page). Furthermore, I wanted the action for that form to call one of my servlets, rather than being limited to calling j_security_check.
Thanks again - and suggestions are greatly appreciated,
I have not tried this but why not simply have a form on a page which posts to J_SECURITY_CHECK, this does not have to be your login form.
The page could have your information and in the corner a little login form. I expect they would login and be returned to the current page (I must try this).
We use JAAS, custom login forms and J_SECURITY_CHECK. We also use struts I can't imagine a scenario where I would have to use a custom login servlet. But as I mentioned on my other thread, Forwarding with struts seems a bit dodgy, secure resources can be accessed without a security check if it is via a Forward.
That sounds like a reasonable idea I have tried doing that (having a form on a page that calls j_security_check) - and unfortunately it doesn't work (as you probably have found out by now). I did try doing the forwarding (having read your other post) and I had some difficulties (but it may have been due to other issues) and it did indeed seem a little "dodgy", so I was hoping that there was a cleaner solution, as it seems like a common problem.
Thanks for the response!