1 Reply Latest reply on Mar 20, 2006 8:44 AM by j2ee_junkie

Web Tier JAAS login and SecurityAssociation

jsb Mar 20, 2006 12:07 AM

Greetings JBoss users and developers,

I have an app running on JBoss AS 4.0.3sp1+EJB3rc3. The web tier is a JSF app that interacts with the business tier via local interfaces to session beans.

I am using the container managed security in a typical way:
* java:/jaas/mydomain security domain
* service=DynamicLoginConfig
* DatabaseServerLoginModule
* form login using ExtendedFormAuthenticator
* security-constraint restricting all access to *.jsf urls to role-name user
* preceding security-constraint with no auth-constraint allowing access to a subset of *.jsf pages without authentication

This all works very well. When a restricted access url is requested the user is presented with the login page. When users authenticate successfully, they are allowed access to the restricted pages. Unrestricted pages can be accessed by anonymous and logged in user alike. A logout action invalidates the session and logged in users become anonymous again. All good.

However, the app needs to be a bit more complicated. There is an unrestricted section of the site, where, during the course of interaction, a user can have different options depending on whether they are logged in (org.jboss.security.SecurityAssociation.getPrincipal() != null) or not. In the workflow, the user is presented with an option to log in to gain the addition options. The login window for this is spec'ed to look deferent from the default login page (form-login-page) and needs to fit cleanly in the workflow.

So I set up a JSF form to JAAS authentication based on this Ed Burns post:
http://weblogs.java.net/blog/edburns/archive/2006/03/repost_using_ja.html

After adding the ClientLoginModule to my authentication configuration (after the defined DatabaseServerLoginModule), this worked for me, but only for the course of one request. On the next click, org.jboss.security.SecurityAssociation.getPrincipal() returns null again. From reading the forum posts here, I gather that this is because the tomcat web container has not done the authentication, so the SecurityAssociation will not be propagated to the user's web tier session (or something like that).

Questions:
1) is there some way for me to properly setup the SecurityAssociation or tomcat context realm from within my JSF ActionListener with the JAAS Subject or Principle after authentication? The goal being that the user will be an authenticated and functional web tier logged-in user after doing the JAAS authentication.

2) is there some way to pass the principle/credential captured in the JSF ActionListener to the tomcat authentication system for authentication instead of doing the JAAS LoginContext myself. The hope here being that tomcat/jboss can do it's usual security thing, and setup of the SecurityAssociation for me (without doing a visible redirect to j_security_check).

Help doing one or the other, or pointing me to a new option would be greatly appreciated,
Jonn

1. Re: Web Tier JAAS login and SecurityAssociation

j2ee_junkie Mar 20, 2006 8:44 AM (in response to jsb)

jsb,

Your problem is simular to post http://www.jboss.com/index.html?module=bb&op=viewtopic&t=79102.
I would say, either provide increased logic in your login form/servlet to know which way to display itself, or make them uniform.

The only way to get the servlet container to know about authentication is to let it handle it.

As an aside, I think it is poor design to use org.jboss.security.SecurityAssociation.getPrincipal() to see if user is logged in. Look at the servlet API, specifically, HttpServletRequest.

have a great day, cgriffith
Actions