2 Replies Latest reply on Sep 20, 2004 11:57 AM by Scott Stark

    JAAS login not visible when Servlet secure using BASIC HTTP

    Lea Thurman Newbie

      Hi All,

      I am attempting to secure both my EJB and web content.

      I have implemented a login servlet and login filter as per the instructions in jaas_howto and this is all working as expected with the principal being propagated through to the EJB layer. Heavy going but an excellent document.

      However what surprised me was that when I secured some web content using BASIC HTTP authentication I was still asked for the username and password even after logging on.

      Reading the howto document I was under the impression that the filter using the ClientLoginModule would transfer these details so they would be visible to the web layer.

      The jass_howto example does not really exercise this case i,e logging on and then accessing a secured servlet.

      In my application now the user successfully logs on and then keeps getting asked for a username and password every time they request secure content

      I have read some alternative solutions, one being to code another filter to reject all access to anything other than the login however I would sooner use the declarative approach since then I can control based on role and I will need to use the role in this layer. (I bet isInRole will not work also)

      Am i doing something wrong or is this the expected behaviour? If its the latter how is everyone else achieving this using declarative security?

      Any help would be much appreciated.