1 Reply Latest reply on Jan 17, 2006 8:38 PM by Jean Croteau

    Custom JAAS-Login with Servlet-Filter and Struts-App. for Au

    Markus Schaefer Newbie

      Hi all!

      I have a question about our general architecure of an WebApp-authentication:

      We use a custom JAAS Login-Module, which is initially called by a Struts-Action. The Action adds the LoginContext to the HttpSession on successful authentication.

      The Application is further protected by a ServletFilter, which checks the session for the LoginContext:
      if LoginContext available => lc.login(); doFilter(..); lc.logout()
      else => redirect to Login-JSP calling above mentioned Struts-Action.

      The module-stack (in login-config.xml) for our custom login contains both our custom LoginModule and ClientLoginModule.

      Everything works fine so far, but we cannot retrieve HttpServletRequest.getRemoteUser() and HttpServletRequest.isUserInRole() as it seems, that our Principals are not "injected" into the web-container's context.

      Is there a way to get the Subject's data into the context/request?
      Is it probably a configuration issue?
      Or is the design generally bad?

        • 1. Re: Custom JAAS-Login with Servlet-Filter and Struts-App. fo
          Jean Croteau Newbie

          I would recommend that you use standard FORM authentication with j_security_check. If you add your struts action in the protected resources, your authentication page will be displayed. Make sure you have added both ClientLoginModule and your own LoginModule in the application policy under the login-config.xml for your security realm. If you use this method, the entire login context stuff is taken care of automatically by the container. I never had to write anything.

          We did write a custom Form authenticator, Realms etc. and it was not very hard to set up, but we had to recompile some classes in JBoss because of package visibility issues, which is not a critic by the way.

          Also make sure your LoginModule properly adds the roles, principals and the likes to your subject in the commit methods.

          Make sure your security realm is properly configured in your tomcat server.xml file. You will need to add the realm configuration in there (use the default JBossSecurityMgrRealm) and put a jboss-web.xml with the name of your JBoss realm in there (the same name that was defined in your login-config.xml for application policy).

          Also try and configure the server.xml in tomcat to use the jboss class loader. We had some issues where some classes where not Equal in your callbackhandler because of different classloaders. There is a parameter out there that you can set to true.

          If not, have a look into the source of:
          org.jboss.web.tomcat.security.FormAuthenticator and look how they set the principal returned by the realm (an isntance of JBossGenericPrincipal) in the session using notes.

          Then look at the source of:
          org.jboss.web.tomcat.security.SecurityAssociationValve

          If I remember right, all you have to do with your principal and the likes are to invoke the SecurityAssociationActions method like to make sure the credentials are properly associated
          SecurityAssociationActions.setPrincipalInfo(principal.getAuthPrincipal(),
          principal.getCredentials(), principal.getSubject());

          Hope this helps !