4 Replies Latest reply on Dec 6, 2004 11:12 AM by Scott Stark

    why multiple authentication !

    pepone moiti Newbie

      Hello Everybody,

      I use authentication on jboss using a how-to found in : http://www.javaworld.com/javaforums/printthread.php?Board=JavaSecurity&main=2500&type=post

      But I have problem, when I call any page of the site(servlet or jsp), it returns me the form login page (it s OK) , so I log in. When logged, I'm waiting that it returns me the page requested at the beginning (which contains frames) BUT, in eachframe, I find login window. I feel like in the servlet (of authentication) it checks well authentication but it's not saved and when we request another page, it replies login.
      If anybody has an idea, Welcome

      I give you the content of web.xml et le snippet code of the servlet (authentication).

      Thanks.

      Here are my rule in web.xml
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>action</web-resource-name>
      Declarative security tests
      <url-pattern>/affichegrille</url-pattern>
      <url-pattern>/afficheDoc</url-pattern>
      <url-pattern>/jsp/*</url-pattern>
      <!--<url-pattern>/accespws</url-pattern>-->
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <!--Le role ayant acces à toutes les ressources-->
      <auth-constraint>
      <role-name>Java</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/logon.jsp</form-login-page>
      <form-error-page>/logon.jsp</form-error-page>
      </form-login-config>
      </login-config>

        • 1. Re: why multiple authentication !
          pepone moiti Newbie

          CODE SNIPPET OF THE SERVLET AUTHENTICATION
          protected void forward (HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException
          {
          System.out.println("appel de accesPWS.forward()");
          String useraction = request.getParameter("useraction");
          String buildUrl = null;
          if (useraction!=null && useraction.equals("close"))
          {
          HttpSession session = request.getSession(false);
          try {
          System.out.println("Appel de close");
          gedAccess.remove();
          deleteDirectory((String)session.getAttribute("repUsr"));
          session.invalidate();
          }catch (Exception e) {
          e.printStackTrace();
          }
          }
          else
          {
          if (useraction!=null && useraction.equals("form"))
          {
          String username = request.getParameter("j_username");
          String password = request.getParameter("j_password");
          try
          {
          SecurityAssociationHandler handler = new SecurityAssociationHandler();
          SimplePrincipal user = new SimplePrincipal(username);
          handler.setSecurityInfo(user, password.toCharArray());
          LoginContext loginContext = new LoginContext("pws", (CallbackHandler)handler);
          loginContext.login();
          System.out.println(username+" -> OK");
          Subject subject = loginContext.getSubject();
          Set principals = subject.getPrincipals();
          principals.add(user);
          }catch(LoginException e)
          {
          System.out.println("Erreur de login");
          buildUrl = "error.jsp";
          e.printStackTrace();
          }
          }
          // CONNEXION OK **************************************
          if (buildUrl==null)
          {
          HttpSession session = request.getSession(true);
          System.out.println(session.getId());
          File rep = new File("c:\\Temp\\"+session.getId()+"\\");
          buildUrl = "/jsp/ged.jsp";
          try {
          if (rep.mkdir())
          session.setAttribute("repUsr","c:\\\\Temp\\\\"+session.getId()+"\\\\");
          else
          System.out.println("Echec dans la creation du repertoire de travail");
          String usr = "2";
          session.setAttribute("usr",usr);
          session.setAttribute("username",request.getParameter("username"));
          initGedAccess();
          try {
          gedAccess = gedAccessHome.create();
          } catch (RemoteException e1) {
          e1.printStackTrace();
          } catch (CreateException e2) {
          e2.printStackTrace();
          }
          session.setAttribute("gedAccess",gedAccess);
          session.setAttribute("application",p_applicationMetier);
          Hashtable tokens = gedAccess.getTokens(usr);
          session.setAttribute("tokens",tokens);
          System.out.println("buildUrl="+buildUrl);
          RequestDispatcher rd = getServletContext().getRequestDispatcher(buildUrl);
          rd.forward(request,response);
          } catch (Exception e) {
          e.printStackTrace();
          }
          }
          // FIN DE CONNEXION OK ****************************************
          } // fin du else si fin ou debut de session




          }

          • 2. Re: why multiple authentication !
            Scott Stark Master

            The JAAS login does not change the security association at the web container level such that forwarded request are done with that security context. The JAAS login affects calls to other secured resources like jms, ejbs, and jca. I have created a feature request to see if this is something we can provide support for in the future:
            http://jira.jboss.com/jira/browse/JBWEB-3

            • 3. Re: why multiple authentication !
              pepone moiti Newbie

              BUT When I use the basic authentication in web.xml,
              <auth-method>BASIC</auth-method>
              <realm-name>GedOnLine Securité</realm-name>
              it works fine.

              so why cannot it also work with a FORM authentication ?

              • 4. Re: why multiple authentication !
                Scott Stark Master

                Because form auth requires tight integration with the web container security internals. Basic auth passes in the username and password as part of the http request and we integration with the http url authentication mechanism.