2 Replies Latest reply on May 10, 2009 10:36 PM by Ragav Gomatam

    logincontext.login is temporary

    Johney Tsai Newbie

      I am using a login.jsp which posts to a LoginServlet which in turn calls the DatabaseServerLoginModule to authenticate users. In the doPost method of my LoginServlet I can see the authenitcated user and all is well. However, once it leaves this method, the user's principals become null.

      Here is my login-config.xml
      Note: I have added the clientloginmodule as well which is required for propogation.

      <application-policy name="jaastest">
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">java:/DefaultDS</module-option>
       <module-option name="principalsQuery">
       SELECT password FROM Users WHERE user=?
       <module-option name="rolesQuery">
       SELECT roles,'Roles' FROM UserRoles WHERE user=?
       <module-option name="debug">true</module-option>
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">hex</module-option>
       <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

      Here is the login.jsp
      <FORM name="logonForm" action="/LoginServlet" METHOD="POST">
      <font color="red"><%=errorMsg%></font><br>
      <TABLE width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white">
      <TR align="center">
       <TD align="right" class="Prompt"></TD>
       <TD align="left">
       <INPUT type="text" name="username" maxlength=64>
      <TR align="center">
       <TD align="right" class="Prompt"> </TD>
       <TD align="left">
       <INPUT type="password" name="password" maxlength=64 >
      <TR align="center">
       <TD align="right" class="Prompt"> </TD>
       <TD align="left">
       <input type="submit" value="Login">

      LoginContext loginContext = new LoginContext("jaastest", new org.jboss.security.auth.callback.UsernamePasswordHandler(username, password));
      System.out.println("logged in");
      Iterator it = loginContext.getSubject().getPrincipals().iterator();
       Object o = it.next();
       System.out.println("principle: "+o.getClass().getName()+ " "+o);
      //redirect back to standard page
      catch(LoginException e)
       HttpSession session = request.getSession(false);
       session.setAttribute("ERRORMSG", "Invalid username or password");

      I did the servlet mappings in my web.xml as well as define a protected resource /test.jsp

      When I bring up the application in the browser, I try to login and it redirects me back to the index.jsp page (if I provide bad credentials, I see my error msg), but when I try to access test.jsp via a link or typing in the URL bar, it makes me login again and the cycle repeats.

      I see these msgs printed to the console in LoginServlet.

      00:33:28,404 INFO [STDOUT] logged in
      00:33:28,405 INFO [STDOUT] principle: org.jboss.security.SimplePrincipal myUser
      00:33:28,409 INFO [STDOUT] principle: org.jboss.security.SimpleGroup Roles(members:admin)

      Any ideas why I can't seem to stay logged in?

      I've tried to get rid of response.sendRedirect but it still makes me login everytime I want to get to a protected resource.