6 Replies Latest reply on Apr 24, 2003 11:51 AM by nparab

    App-based authentication with declarative authorization

    nparab Newbie

      I want to authenticate users based on an additional parameter (a part of the context URI) in addition to username & password. I cannot use the Form based or Basic security (because they take only 2 parameters).

      I could use application-based authentication from a login servlet. But then I would also have to write authorization code in my apps (which I want to avoid). I want to use the declarative authorization using <security-constraint> and in web.xml.

      Here's my question:

      Can I team up app-based authentication with declarative authorization in some way? Can I set roles from my login servlet so that the container uses them for subsequent authorization?

      Thanks in advance,
      Nilesh

        • 1. Re: App-based authentication with declarative authorization
          glum Newbie

          First I should say I am no kind of expert in this field. But anyway, if I understand your question, I am just trying to manage the same thing with no success at all. I think this should be possible by setting appropriate <run-as>roleName</run-as> element for your login servlet in web.xml descriptor. But I have no luck with this so far. Furthermore, I found a note in the JBoss book that this configuration is unsupported by JBoss as of yet.

          I still hope this is somehow possible to do with JBoss. In my point of view declerative security is pretty unusable without this. In case you find a way how to do that post a message, please.

          • 2. Re: App-based authentication with declarative authorization
            nparab Newbie

            glum,

            I might have found a solution for you, though it is not directly applicable in my case. My problem is with declarative 'web' security. Yours is with declarative 'ejb' security.

            Please read the article in this url:
            http://www.luminis.nl/publications/websecurity.html

            You could use the ClientLoginModule (described in the article) from your servlet to log in to the ejb security layer. Since your servlet is unsecured, you cannot get the user-id and password from the HttpSession as described in the article. Instead, you could use a fixed user-id and password, probably passed as init-parameters to the servlet from web.xml. This user-id should have the role required for the ejb.

            Let me know if this works for you.

            • 3. Re: App-based authentication with declarative authorization
              glum Newbie

              Thanks a lot for your message. I am running out of the time, so I have moved securing application down in my priority list :-( Once I have finished other tasks, I'll certainly go back and follow your suggestions.

              I have a suggestion for you too, but I have no idea if it is possible or not. Maybe you can still use the Form - based authentication. Instead of submitting login form to j_security_check action, submit it to some Servlet which will append context URI or whatever you want to j_username request parameter. Then, it will finally forward request to j_security_check action.

              Again, I have no idea if this is applicable to you or even possible at all.

              - glum

              • 4. Re: App-based authentication with declarative authorization
                nparab Newbie

                I did try forwarding from a custom Login servlet, but it gives a message in the browser:

                400 - j_security_check not found.

                If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field.

                • 5. Re: App-based authentication with declarative authorization
                  nparab Newbie

                  I did try forwarding from a custom Login servlet, but it gives a message in the browser:

                  400 - j_security_check not found.

                  If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field.

                  • 6. Re: App-based authentication with declarative authorization
                    nparab Newbie

                    I did try forwarding from a custom Login servlet earlier, but it gives a message in the browser:

                    400 - j_security_check not found.

                    If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field.