2 Replies Latest reply on Jun 8, 2005 11:05 PM by techiestuff

    Dynamic login behavior

    techiestuff Newbie

      Hi,
      I am using JBoss4.01 and trying to get JAAS working.
      Requirements -
      1.Some pages can be viewed by everybody without login(anonymous)
      2.Page A requires login depending on client IP address. If the client IP matches with a predefined one, no need to login and hence the resource is not a protected one, otherwise a login needs to happen.

      My approach -
      As soon as user accesses the site, a filter would try to (implicitly)login the user and return a 'priviligedrole' if the IP matches.
      Right now I have written my own CallbackHandler and Loginmodule(very basic), but I get a null pointer exception because there is no password/IP set.

      The problem -
      1.How do I pass the IP address
      2.Can I make use of the ClientLoginModule.
      3.If I fake the password field and actually pass the IP address, how do I actually pass the password when login is reqd.
      4.Is my approach of implicit logging commonly used? Is there anything to be careful about

      I have read the JAAS How to guide, but that also does not seem to answer my question. I'd appreciate your response.

      Thanx

        • 1. Re: Dynamic login behavior
          techiestuff Newbie

          Hi again,
          I have got some parts of the problem working which is sort of a work around.
          I wrote my callbackhandler and customloginmodule. To the callbackhandler I pass the IP address instead of the password although the type is still PasswordCallback. In the customloginmodule(extended from UsernamePasswordLoginModule) made the following change-
          protected String getUsersPassword()
          throws LoginException
          {
          return ("IP I am looking for");
          }

          protected Group[] getRoleSets()
          {
          Group[] groups = {new SimpleGroup("Roles")};
          SimplePrincipal role = new SimplePrincipal("Priviliged");
          groups[0].addMember(role);
          return groups;
          }

          Now in one of the action classes, I created a new logincontext and invoked the login method.
          The problem is that the JBoss server still does not know the user has been authenticated with the given role. When trying to access a protected resource with anonymous(null) user and Priviliged role, it still asks for the username and password.

          I'd really appreciate any help.

          • 2. Re: Dynamic login behavior
            techiestuff Newbie

            Did not mention explicitly in my previous post, that I used the SecurityAssociation.setSubject method so that JaasSecurityManager has an active subject. The browser still gives me the username/password popup although the jaassecuritymanager has an active subject.
            Do I need to set the user principal in request?or some other object?
            From my understanding, if the security manager has an active subject it means it has been authenticated.