4 Replies Latest reply on Nov 10, 2004 2:41 AM by Scott Stark

    Form based auth + EJB Auth working, How to use form-auth on

    Wessel de Roode Newbie

      Hi!,

      I've a problem which i haven't figured out yet.

      I have a form based authentication () which works fine.
      I have my EJB's protected with the same security domain which works ok if I supply a valid username & password to a standalone client

      What I would expected is that the servlet container would authenticate itself to the beans but this isn't the case (or can I configure this so it would? that would be great!)

      As a way to fix this, I'm having my web-app authenticate to the beans with the javax.security.auth.login.LoginContext
      Got this working example from jkuhn (thanks!!)
      I can't bridge the authenticated servlet to the EJB's only if i fill in a password in the servlet code which of course is not an option :-(

      Q1 Is there a way how i can have the servlet container authenticate it self to the beans in another way than this one below?
      Q2 How can i get the value of j_password from the form. This is not possible with the usual request.getParameter("j_password")

      This is a code snippet of my LogonAction.java

       public ActionForward execute(ActionMapping mapping,
       ActionForm form,
       HttpServletRequest request,
       HttpServletResponse response)
       throws IOException, ServletException {
      
       HttpSession session = request.getSession();
      
       String username="";
       String password="";
      
       username = "wessel";
       password = "mysecretpassword";
      
      // ****** HERE's the Headace! How to get these two from the
      // web-servlet!
      // request.getParameter("j_password"); always returns null
      
      
       LoginContext lc = null;
       try{
       AppCallbackHandler handler = new
       AppCallbackHandler(username, password.toCharArray() );
       lc = new LoginContext("spawnzone", handler);
       System.out.println("Created LoginContext");
       lc.login();
       System.out.println("Logged in.");
       Iterator it = lc.getSubject().getPrincipals().iterator();
       while(it.hasNext()) {
       Object o = it.next();
       System.out.println("principle: "+
       o.getClass().getName()+ " "+o);
       }
       }catch (LoginException le){
       System.out.println("Login failed");
       le.printStackTrace();
       }
      


      Many many thanks for who gives the solution to bridge these two ... it's pritty frustrating having the two ends 'just' not close enough to tie them together :-)

      Wessel

        • 1. Re: Form based auth + EJB Auth working, How to use form-auth
          Wessel de Roode Newbie

          I've found a workaround to get the username & password back from the Form based authentication. I'm working with a Filter which intercepts the post and stores the values in the session scope.

          package com.artomilito.www.colossus;
          
          import java.io.IOException;
          
          import javax.servlet.Filter;
          import javax.servlet.FilterChain;
          import javax.servlet.FilterConfig;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;
          import javax.servlet.http.HttpServletRequest;
          import javax.servlet.http.HttpServletResponse;
          import javax.servlet.http.HttpSession;
          
          import org.apache.commons.logging.Log;
          import org.apache.commons.logging.LogFactory;
          
          /**
           * Login Filter 14-oct-2004, Wessel de Roode
           * From an idea of dmitry_ame at yahoo.com.
           * Written for Struts & Xdoclet & changed for
           * EJB Authentication by Wessel.
           * Purpose to intecept the username & password from a
           * FORM based authentication. The username & password
           * can now used for authenticating with EJB's
           * This filter should point to an unprotected directory
           * with an empty jsp file in it. Example /login/dummy.jsp
           *
           * The loginform should look like this in struts:
           * <FORM name="loginform" action="login/dummy.jsp" method="post">
           * <input type="text" name="j_username"/>
           * <input type="password" name="j_password"/>
           *
           * After login the loginAction or any first action that is addressed can retrieve the
           * values with:
           * HttpSession session = request.getSession();
           * String user = session.getAttribute("j_username"));
           * String pass = session.getAttribute("j_password"));
           * Without the Filter these values will be null
           * @author Wessel de Roode
           *
           * @web.filter
           * name = "LoginFilter"
           *
           * @web.filter-mapping
           * url-pattern = "/login/*"
           */
          public class LoginFilter implements Filter {
          
           static Log log = LogFactory.getLog(LoginFilter.class);
           public void init(FilterConfig arg0) throws ServletException {}
          
           public void doFilter(ServletRequest request,
           ServletResponse response, FilterChain chain)
           throws IOException, ServletException {
           HttpServletResponse httpResponse = (HttpServletResponse)response;
           HttpServletRequest httpRequest = (HttpServletRequest) request;
           String redirectString = "j_security_check";
           log.info( "Sending redirect to: " + redirectString);
          
           String username = httpRequest.getParameter("j_username");
           String password = httpRequest.getParameter("j_password");
          
           HttpSession session = httpRequest.getSession();
           // Set the attributes in the session space
           session.setAttribute("j_username", username );
           session.setAttribute("j_password", password );
          
           httpResponse.sendRedirect( redirectString +"?j_username="+username+"&j_password="+password );
          
           chain.doFilter(httpRequest, httpResponse);
           }
          
           public void destroy() {}
          }
          


          • 2. Re: Form based auth + EJB Auth working, How to use form-auth
            Scott Stark Master

            If you are using the embedded tomcat in jboss there will be automatic propagation of the security context required to access the servlet to the ejb tier. If the servlet accessing the ejb is not under a restricted context there is no security context to propagate however.

            • 3. Re: Form based auth + EJB Auth working, How to use form-auth
              Wessel de Roode Newbie

               

              "scott.stark@jboss.org" wrote:
              If you are using the embedded tomcat in jboss there will be automatic propagation of the security context required to access the servlet to the ejb tier. If the servlet accessing the ejb is not under a restricted context there is no security context to propagate however.


              Sorry for the late response, i've been to africa for a while on a long trip.

              Thanks for your reply, still not figured this out.
              - I'm using the standard JBoss 4.0.zip file from the download area with the principal-caller patch. so that the isUserInRole call works.
              - And i'm using the integrated tomcat from Jboss 4.0 .

              Still this propagation doesn't work. Could there be a problem because i'm using struts? All the struts actions are under the webcontainer restrictions.

              Any corners i should check again ?
              Please any help is welcome..

              Thanks in advance,
              Wessel de Roode


              • 4. Re: Form based auth + EJB Auth working, How to use form-auth
                Scott Stark Master

                The only thing left is to file a bug report on sourceforge with an example application that shows the problem.

                http://sourceforge.net/tracker/?group_id=22866&atid=376685