1 Reply Latest reply on Sep 10, 2003 7:09 PM by lucrussell

    Combining Struts and JAAS

    François Vanzeveren Newbie


      How can I make use of the credentials data from a JAAS login in the JSP/Struts side of an application.

      I successfully implemented a JAAS login. Security on the EJB sides behaves as expected (i.e. users in proper roles can executes ejb methods, others not).

      But, it seems like the Web side does not know anything of the JAAS login. Indeed, I wrote the following Custom Tag that is supposed to process its body only if the users is in any of the sepcified roles. But its turns out that the HttpServletRequest.getUserPrincipal always returns null, while on the EJB side everything is fine.

      Does any one knows a good tutorial about the integration of JAAS and struts with JBOSS


      public class IfCallerInRoleTag extends ExTagSupport {

      final private static Logger LOGGER = Logger.getLogger(IfCallerInRoleTag.class);

      /** Properties **/
      private StringTokenizer roles;

      protected void clearProperties() {
      this.roles = null;

      public int doStartTag() throws JspException {
      LOGGER.info("[IN] doStartTag()");
      int result;
      HttpServletRequest request = (HttpServletRequest) pageContext.getRequest();
      if (isCallerInRole(request)) {
      result = EVAL_BODY_INCLUDE;
      } else {
      result = SKIP_BODY;
      if (LOGGER.isDebugEnabled()) LOGGER.debug("Return Value [" + result + "]");
      LOGGER.info("[OUT] doStartTag()");
      return result;

      public void setRoles(String pRoles) {
      if (pRoles != null && ! "".equals(pRoles.trim()) ) {
      roles = new StringTokenizer(pRoles, ",");
      } else {
      roles = null;

      private boolean isCallerInRole(HttpServletRequest request) {
      LOGGER.info("[IN] isCallerInRole(HttpServletRequest request)");
      if (LOGGER.isDebugEnabled()) {
      LOGGER.debug("Principal Name [" + request.getUserPrincipal() + "]");
      if (roles == null) return true;
      boolean isCallerInRole = false;
      String token;
      while (roles.hasMoreTokens() && ! isCallerInRole) {
      token = roles.nextToken().trim();
      LOGGER.debug("Role [" + token + "]");
      isCallerInRole = request.isUserInRole(token);
      if (LOGGER.isDebugEnabled()) LOGGER.debug("Is caller in role? [" + isCallerInRole + "]");
      LOGGER.info("[OUT] isCallerInRole(HttpServletRequest request)");
      return isCallerInRole;

        • 1. Re: Combining Struts and JAAS
          lucrussell Newbie

          Do you know if you have a line like this in your jboss-web.xml?:

          I believe this is what ties the web client to the security domain...
          In struts 1.1 you can use the logic:present tag to control presentation, eg:
          <logic:present role="admin">
          do something

          Hope this helps...