Hi,
Really, my question is more concerned with the javax.servlet.Filter than JAAS.
But it's the LoginContext's thread issue that is sending me down this road,
so I'm hoping somebody will be willing to answer my question here.
Anyway... like many other people, when implementing the JAAS, I ran into the
problem where new threads are being used by requests that are made after
authenication has occured. As such, the LoginContext is lost and I get the
dreaded principal="null" error. So, to fix this, I'm going to put the user
information onto the session, and then log in before every attempt to access
secured beans.
Based on what I've read in these forums, the slickest way to do this is to use
a filter. So, I wrote a very simple filter, and added the following to my
web.xml descriptors:
<!-- JAAS -->
<filter-name>
logged-in-filter
</filter-name>
<filter-class>
toolkit.admin.services.security.JAASFilter
</filter-class>
<!-- JAAS -->
<filter-mapping>
<filter-name>logged-in-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Everything compiles fine, but things go wrong on deployment:
ERROR [URLDeploymentScanner] Failed to deploy:
org.jboss.deployment.DeploymentException: Class org.mortbay.jetty.servlet.Holder
can not access a memeber of a class toolkit.admin.services.security.JAASFilter
with modifiers ""; -- nested throwable: java.lang.IllegalAccessException: ...
...
...
Am I missing something here? From what I'm reading, all that I should need is
the added descriptors, and then the filter itself.
Also, I'm using a Jboss-Jetty solution (notice that the above exception is a
Jetty exceptoin). Does Jetty have any special requirements as far as filters
are concerned?