we have an existing J2EE based application where authentication mechanism was apache. Now we would like to incorporate security into our applications using JBossSX. We want role based declarative authentication. The user-id and password will be stored in Active Directory and roles information will be inside openLDAP. Note, for now we want only protection or restriction of URLs only and not EJBs.
Q1 : Lets say we have authenticated user against Active Directory and subject is created with user credentials. Now if the user visits second time, will the authentication happens again.
Can the container read roles from user Subject and validates against roles defined for restricted URL without executing login module? Let me know the best approach ? Do i need to write ClientLoginModule even though i am doing web URL restriction.
Q2 : I am using Active Directory for user Name and Password authentication and openLDAP for reading Roles information, so do i need to write two LoginModules or can i integrate them. Also, which LoginModule will be best for this action. I am considering UsernamePasswordLoginModule.
Thanks in Advance.
Q1: See the documentation on authentication cache
Q2: See the documentation on "useFirstPass" password-stacking option and the default LDAP login module implementation.