0 Replies Latest reply on Oct 10, 2005 10:59 AM by Dimitar Vlasev

    web appication security identification

    Dimitar Vlasev Newbie

      Hi everyone.
      I am developing web application and trying to achieve the following:
      When accessing session beans I want the bean?s caller identity to be a constant value no related to do user login information. Reason: I am using beans from defined in another web application which uses container managed authentication and there is caller identity /principal name/ check within a filter.
      So far I have tried to make my own CustomLoginModule which takes principal name and roles from the options map. I have a ?dummy? login page with hidden form having both j_username and j_password fields empty. The form action is j_security_check, and it?s invoked automatically.
      Everything looks fine when I start the application automated login process leads me to my web app welcome page and I have the following request attribute:
      j_subject = Subject: Principal: myPrincipal Principal: Roles(members:myRoles)
      But when I obtain a session bean its caller identity is void (principal name == ??, roles ==??)
      I found out that those values within the caller identity are the values of the j_username and j_password and I cannot set the outside of the form.
      Trying to find out what does j_security_check do I have found the Catalina source used for the container managed authentication within the tomcat container.
      Here is a snippet that get my attention:

      Public static Constants {
      public static final String FORM_PASSWORD = "j_password";
      public static final String FORM_USERNAME = "j_username";

      public class FormAuthenticator extends AuthenticatorBase {
      public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException {
      Realm realm = context.getRealm();
      String username = hreq.getParameter(Constants.FORM_USERNAME);
      String password = hreq.getParameter(Constants.FORM_PASSWORD);
      if (debug >= 1)
      log("Authenticating username '" + username + "'");
      principal = realm.authenticate(username, password);

      I believe this piece of code does principal registration and when i have no j_username and j_password specified within the login form i am having void caller identity.
      I wondered if I can obtain a reference to the realm within my CustomLoginModule.initialize() or login() methods.

      Or if there is a way to impersonate my web application and set a constant ?caller identity?. This will be even better.

      Thanks in advance for your advice.