1 Reply Latest reply on Dec 23, 2002 4:03 PM by Darryl A. J. Staflund

    Jetty / Tomcat JAAS Authentication Discrepancies

    Darryl A. J. Staflund Newbie

      Hi all,

      I am currently using JBoss 3.0.4 / Tomcat 4.1.12 to develop a J2EE application. The application uses JBoss' LdapLoginModule to authenticate off of a remote database, and is largely frame-based.

      The initial login sequence is designed to work as follows:

      1. The user attempts to access index.jsp.
      2. Index.jsp is a protected resource, so JAAS kicks in and displays an authentication form. No HTML frames are present at this time.
      3. After the user authenticates, index.jsp is loaded and in turn forwards the request to an HTML file (also a protected resource).
      4. The HTML defines a frameset consisting of three frames, and then loads individual HTML files into each frame.

      This behaviour works perfectly with Tomcat. My deployment environment, however, is JBoss 3.0.4 / Jetty. Jetty handles the request differently:

      1. The user attempts to access index.jsp.
      2. Even though index.jsp is a protected resource, the script runs and loads the HTML file which defines the frameset.
      3. Even though the HTML file which defines the frameset is a protected resource, the application creates the frameset and attempts to load the individual HTML files into each of the separate frames.
      4. It is only at this point that JAAS authentication kicks in by displayed the authentication form in each of the three frames.

      What bizarre behaviour. Not only has JAAS authentication kicked in at an appropriate time, but it only happens with Jetty, not with Tomcat.

      Has anyone ever experienced this problem? Does anyone know of a workaround (short of switching to Thomcat?)

      Thanks,
      Darryl Staflund