1 Reply Latest reply on Jun 7, 2004 10:46 AM by Scott Stark

    Two-Phase Login

    morenito9000 Newbie

      Hi all,
      in my application I had to write a custom DatabaseServerLoginModule
      that associated roles to user after the user had specified

      - login
      - password
      - product

      (for different 'products' users may have different roles associated).

      The problem is the following:

      in a FIRST PHASE my application asks the user to specify
      ONLY login and password and in a SECOND PHASE
      application can ask the product under which the user wants to work.

      I can't change this sequence !

      I have 3 questions:

      1) Must I use DatabaseServerLoginModule for 'phase 1'
      and the CustomDatabaseServerLoginModule for 'phase 2' ?

      2) Is possible to perform the authentication process in two
      distinct phases ? (it sounds strange to me, because after
      'phase 1' JBoss will associate some roles to user that
      couldn't be the right ones after 'phase 2').

      After authentication I can have users with the same role but
      with different permissions.
      The difference depends from a lot of variables.

      3) In this case the only way to distinguish users is a programmatic
      way ?

      Many thanks in advance
      Moreno

        • 1. Re: Two-Phase Login
          Scott Stark Master

          1) there are not two phases to authentication. All that you could possibly do is to install a custom place holder java.security.acl.Group that lazily acquired the roles used for authorization.

          2) Same as 1, there are not two phases. The security context is created during authentication and there is the possibility to lazily acquire roles given a place holder created during phase1, but since you don't seem to even know the key used to acquire roles, you'll need a placeholder proxy that is updated by a custom interceptor.

          3) Yes, you are going to have to associate the roles after the fact outside of the JAAS login phase. This would have to be a custom interaction between the Group you installed during the authentication phase. If you can do this then the existing declarative security mechanism just works. If you cannot then you need to augment authentication with a custom interceptor/filter that manages the authorization checks.