2 Replies Latest reply on Mar 15, 2004 12:02 PM by Hussein Badakhchani

    How to get custom security athentication to integrate with J

    Hussein Badakhchani Newbie

      Hello,

      Our application using a custom authentication mechanism that uses an access control filter in conjunction with an EJB to check incomming requests for a valid session id that is encoded as a request parameter e.g ?sid=123445. As this security framework does not interact with JAAS or the container in any way I cannot use methods like getUserPrinciple() or isCallerInrole() in my EJBs or Servlets (No security context is created or propagated). This is a bit of a pain as I don't want to write custom code to get this information.

      I would like to know if it is possible to extend our exsiting security framework to use JAAS, or is there a workaround I can use. For example after checking the users credentials and logging the user in using our security framework can I then inform the containers security manager?

      I have read through the FAQ and played around with JAAS creating a security domain and using the DatabaseLoginModule with form based authentication, but I can't see a way of integrating our security with JAAS.

      Cheers,
      Hoos

        • 1. Re: How to get custom security athentication to integrate wi
          ahardy66 Novice

          With J2EE container managed security, the user must trigger the authentication by trying to access a protected area, EJB, webpage, whatever.

          There are always 'ways' of doing things like this by proxy from your custom security login, but many are considered dirty hacks and you already say you don't wish to write any more code.

          The range of options open to you depends on your application. One thing that occurs to me off the top of my head is the 'anonymous' login that can be done. If you protect everything, then as soon as the user starts using the app, a login will occur and then in your custom login module you can fetch what info you need, if you can identify the user without any login name.

          Have fun! ;)

          • 2. Re: How to get custom security athentication to integrate wi
            Hussein Badakhchani Newbie

            Thanks for the quick response.

            I think I get where your comming from but if the container security kicks in before my filter won't that force me to authenticate twice, once for the say the FORM authentication and then again when my fiter does not find a valid sessionid?

            Or are you saying it is possible to write a custom login module that will authenticate the user (say like the DatabaseLoginModule) and somehow add the sessionid to the request, then my access control filter won't grumble and I get a security context for my request, if this is option is possible that would be great, but where do I start?