2 Replies Latest reply on Jul 1, 2004 4:15 AM by snavjot

    jaas behaviour for unchecked URIs



      When we have a checked URI and we authenticate successfully, the principal is available from current request object.

      However, if we navigate to an unchecked URL ( i mean with no security-constraint imposed) then the principal is not available.

      I thought that the JAAS implementations save the principal in Session after authentication. But NO. Jboss seems to save this principal information *somewhere* and if web-resource with security-constraint is asked for, it checks, retreive and save principal in request object. Please correct me if my understanding is wrong.

      Where does Jboss's JAAS impl store the authenticated principals and it's mapping with session ids??

      Any help/pointer is appreciated.

      Navjot Singh

        • 1. Re: jaas behaviour for unchecked URIs
          stueccles Newbie

          yes by default Tomcat (dont know about Resin) stores the principals in the session (strangely using Session.setNote() so actually its not available through HttpSession ) but JBoss instead doesnt store the principals and instead stores the credentials in the session it then delegates to the JbossSecurityMgrRealm which delegates to the JBoss security manager which uses the credentials to authenticate and stores the principals in its own cache.

          Subsequent checked requests are always sent to the JBoss security manager which looks it up in its own cache. hence the principals are only available when it bothers to reauthenticate in a checked URI. And those are only ever stored in the request not in the session.

          So if you want to track a user on unchecked pages you have to do it yourself

          the way i see it you could
          1) Have a filter that takes the sees if you have a request.getUserPrincipal() and if so stores it in the session too. if a request does not have a request.getUserPrincipal() looks in the session and gets the principal and then does a request.setUserPrincipal() (Note this wont help you if the user calls EJB methods that have security.. you would also have to set the security association)
          2) Write a custom tomcat authenticator.
          3) Make all pages checked pages in the web.xml but have public accessable pages accessible to a "guest" role

          • 2. Re: jaas behaviour for unchecked URIs

            thx for a detailed reply that's not readily available at jboss forums.

            Yes, I wrote a filter that will save the authenticated principal in session for me.

            As i am moving away from existing app, that relies on some jey in session. So, i got to save the principal in session. I found it better than digging the code of entire app.

            I know i should have planned properly but never mind. Will refactor when i get some time.

            thanks again.
            Navjot Singh