We would really like to receive some advice on our current issue. We
tried to solve it in some ways but we still have issues.
We have an application that uses JAAS to authenticate users on our web
app and EJB beans. Users can enter both trough basic authentication
(always passed from the client, no popup needed) and through an
'alien' sessionID in the request that is checked against a self-written API
that can return a principal username for a sessionID. When a user uses
the sessionID, no BASIC authentication should be done.
We've implemented this using a LoginModule to authenticate users who
enter with BASIC authentication, and a Valve to 'authenticate' users
before any BASIC authentication is done (so effectively bypassing it).
This seems to work for the webapp (tomcat), that seems to pick up
the principal set by the valve just fine. The EJB beans however, do not
'like' this; they cannot detect that a principal has been set.
The principal-set routine in the valve looks like this (code snippet):
((HttpRequest) request).setUserPrincipal(principal); if (principal != null) ((HttpRequest) request).setAuthorization(principal.getName()); else ((HttpRequest) request).setAuthorization(null);