I currently have a webapp that employs a weak security model (and we like it that way). However, we would like to start working toward role-based access, and we would like to do it using J2EE Pricipals and Roles.
We need to do an initial login with LDAP. After that, a cookie is placed on the user's machine. Any time they visit the site thereafter (even months later), we want to "authenticate" on the cookie rather than going back to the LDAP login. This way, after logging in once, the user has the effect of never needing to log in again... But we do want that Principal and the Roles populated everytime they come in.
Is there a way to do a custom login module that will implement a callback to the webapp and check to see if the cookie exists, and if so, the Prinicipal and Roles can be bound to the session based on that? And if the cookie doesn't exist, move on to the LDAP auth (and then place a new cookie in the browser)?
I have written a CallbackHandler that takes a HttpServletRequest and HttpServletResponse as arguments and populates the passed in callback object with a username, but I don't know where to go from there. Am I on the right track or completely off base?
Previously I was going to use a servlet filter to do auth programmatically, but I couldn't figure out how to programmatically bind the Principal and Roles to the session such that it would work with security constraints and isUserInRole() and such...
Thanks for your help.
You could always store UserId and Pwd in cookie, set up the security as 'normal' (No special login modules) and in your login page (jsp?) load UserId into j_username and password into j_password from the cookie and post to j_security_check...
(I think that all the j_xxx names are right...you better check!)
This has worked (well) in the past!