0 Replies Latest reply on Mar 16, 2005 4:41 AM by Maarten van Hulsentop

    Multiple authentication methods

    Maarten van Hulsentop Newbie

      Hi all,

      We would really like to receive some advice on our current issue. We
      tried to solve it in some ways but we still have issues.

      We have an application that uses JAAS to authenticate users on our web
      app and EJB beans. Users can enter both trough basic authentication
      (always passed from the client, no popup needed) and through an
      'alien' sessionID in the request that is checked against a self-written API
      that can return a principal username for a sessionID. When a user uses
      the sessionID, no BASIC authentication should be done.

      We've implemented this using a LoginModule to authenticate users who
      enter with BASIC authentication, and a Valve to 'authenticate' users
      before any BASIC authentication is done (so effectively bypassing it).

      This seems to work for the webapp (tomcat), that seems to pick up
      the principal set by the valve just fine. The EJB beans however, do not
      'like' this; they cannot detect that a principal has been set.

      The principal-set routine in the valve looks like this (code snippet):

      ((HttpRequest) request).setUserPrincipal(principal);
       if (principal != null)
       ((HttpRequest) request).setAuthorization(principal.getName());
       ((HttpRequest) request).setAuthorization(null);

      My question(s) are:

      - Is the Valve-way the way to go, or should the session-authenticate be
      moved towards a loginmodule?
      - If the latter is the case, how can we 'disable' the BASIC authentication
      popup whilst keeping BASIC authentication validation?
      - How should we implement the principal-set routine (code above) to
      propagate the principal when choosing for the all-valve way? Obviously
      we're doing something wrong.
      - Any other alternatives?

      Any help/hints would be great!

      thanks in Advance