0 Replies Latest reply on May 21, 2003 12:04 AM by rostiarso

    JCIFS and web-app security domain

    rostiarso Newbie

      Hi all, i need some help here:

      i'm trying to configure security environment for my application.
      Instead of using basic/form based authentication, my "boss" wants the application to extract user identity from NT/Win2000 login info, After some googling, i didn't found direct support from JBoss server, but i found a library (JCIFS, http://jcifs.samba.org) that can extract OS login info using NTLM.

      And by using JCIFS, i'm able to extract currently logged-in user. I've also read "Using J2EE security in a web application" from luminis(http://www.luminis.nl/publications/websecurity.html), and from there, i can figure out the steps required for securing my EJBs. But the article from luminis is about securing EJBs only.
      And now the problem i'm facing. By using this kind of security setup, i can't use the built in web security support from container (please correct me if i'm wrong). If i enabled security domain at web layer, then by using either basic or form auth, users will always be prompted with user/password dialog.

      So my first question is: is there any way to use built-in security domain in web layer and made the authentication happened automatically w/o user intervention (w/o the browser prompting user for username/password) since i already acquire user info using JCIFS?

      Because if i dont setup web security domain, then i would miss the Request.isUserInRole() method(again, please CMIIW).

      My second question: in my case, if i can't use built-in security domain, then what would i have to do to enabled and correctly invoke at least the Request.isUserInRole() method based on the security configuration in web.xml?

      Any hints, links, ideas or advice is very much welcome here.

      Thanks in Advance.