3 Replies Latest reply on Sep 22, 2003 11:24 AM by Joshua Davis

    Programmatic realm authentication in a servlet


      I've been trying to solve this for a few days. I'm trying to programmatically authenticate a user into a realm (defined in web.xml) inside a servlet. I have created a custom authentication module based on the UsernamePasswordLoginModule that simply does a lookup against a local database and assigns a few roles. The custom authentication piece is working fine.

      The catch is that I have users coming from another application server (WebObjects) being redirected to my JBoss application server. I want to offer "single sign on"-like functionality based on a trusted host + username without having the request filter through the j_security_check form.

      This is the point where I am stuck. My understanding of the process is that I need to somehow create a new LoginContext and add it to the JaasSecurityManager in JBoss. The problem is that I am unsure how to obtain the JaasSecurityManager associated with the realm the web application is associated to. I have tried the following:

      InitialContext ctx = new InitialContext();
      JaasSecurityManager jsm =
      (JaasSecurityManager) ctx.lookup("java:/jaas/http-invoker");
      String securityDomain = jsm.getSecurityDomain();
      System.out.err("Sec Domain: "+securityDomain);

      but this always seems to return the default "other" appliication policy rather than the "sso-app" application policy I defined in login-config.xml and associated with the "sso" realm that I defined in my web.xml.

      My question is, is attempting to get the JaasSecurityManager the right way to approach this -or- Is the AuthenticationManager (via java:comp/env/security) a better way to do this?

        • 1. Re: Programmatic realm authentication in a servlet

          I made one small change that gets me closer to my goal, I think. Since my jboss-web.xml security-domain entry was java:/jaas/sso-app, I realized that this line:

          (JaasSecurityManager) ctx.lookup("java:/jaas/http-invoker");

          should be:

          (JaasSecurityManager) ctx.lookup("java:/jaas/sso-app");

          That now gets me the right JaasSecurityManager. However, I'm still unable to get a new Subject "pinned" in the JaasSecurityManager programmatically. I'm trying to get it to work using the JaasSecurityManager.isValid() method, so if I'm off base, let me know.

          • 2. Re: Programmatic realm authentication in a servlet

            To close this out, logging in "under the covers" would have required modifications to some of the JBoss JAAS classes at the Thread mapping level. This diverted from a gaol of not modifiying the JBoss sources in ways that might create incompatibilities. The final solution was based on a variant of the method described in Java Developer's Journal August 2003 Issue 8 Volume 8 "Active Authentication".

            • 3. Re: Programmatic realm authentication in a servlet
              Joshua Davis Expert

              Here is the URL to the article.
              Active Authentication

              The article is good, but it seems to rely on 'redirects' rather than forwarding. Are there any disadvantages to this?

              I'm having a similar problem. I have made a simple 'self registration' application where I want to add a new user, and if the user is sucessfully added, log them in. I guess I could just redirect using this scheme... hmmm.