Do you have a database ?
Then you can use the
org.jboss.security.auth.spi.DatabaseServerLoginModule (See getting started docs).
Create a new user (in the database) with
the info provided by your cookie and
You can not user roles on the fly
with declarative security
mechanisms of ejbs.
Hope this helps.
Thanks for the suggestion! We do have a database, but the idea here is that if the user has the cookie, we want to authenticate without the need of any user interaction...
I thought about this idea but could not determine a way to access the cookie from within the login module. If you know a way, I'd be very happy if you could point me in the right direction...
Basically, the model we're looking for is:
- first time a user enters a webapp, prompt for username/password and authenticate against LDAP. Then store encrypted version of username in user's cookie.
- all times after that, if the user comes to the webapp, it decrypts the username from the cookie and looks up the user's roles in the database. It then automatically authenticates the user without the need of the LDAP auth...
The end result is a very weak security model that only requests the username/password from a user the first time they come-- all other visits are transparent.
Thanks again for your help!
If I understand you correctly, that you want to use the value of a Cookie to authenticate a user, then use those credentials in EJBs that your web tier calls, try this:
1) In your web tier, create a LoginContext which uses the ClientLoginModule. Here you will have to create a CallbackHandler that inserts the username/password values based on the values of your Cookie.
2) Create a security domain in your login-config.xml which uses the UserRolesLoginModule. Set up the properties file with the valid usernames/roles that will be carried by your cookie.
3) Set up your ejb-jar.xml and jboss.xml deployment descriptors for your EJBs to use the security domain listed in step 2.
Note that the level of authentication here is minimal -- as long as the user has a valid cookie that matches the information in the UserRolesLoginModule properties file, the invocation will pass.
There are probably more ways to do this, but I hope this helps.