1 Reply Latest reply on Apr 21, 2006 8:17 AM by chris griffith

    custom login and web.xml declarative security

    - - Newbie

      ive searched and read a lot but havenot found a solution.

      the question is if you use custom login and not j_security_check then How to associate security credentials with web container so that declarative security in web.xml still works??

      - jboss 4.0.3SP1 with bundled tomcat 5.5

      - i set up tomcat to delegate security[user authentication and declarative url patterns in web.xml] to jboss using jaas DatabaseServerLoginModule.
      this works fine with login using FORM method[web.xml] and j_security_check.

      - but i want to control the login process but theres no way to intecept pre and post of j_security_check.

      - so i still use FORM method but instead of calling j_security_check, i post to my login action which simply uses the jaas setup described above. this works fine but How to tell web container to
      associate security credentials(subject ,principals, etc) of the login to apply on declarative security of url patterns in web.xml??

        • 1. Re: custom login and web.xml declarative security
          chris griffith Expert


          Tomcat's Container Managed Authentication mechanism can not be controllded (for a good reason) by a web application. The idea is that the container provides these services to applications. The applications then can ask to use them. Furthermore Java's servlet spec does not specify how a container is to implement these services, only that they must be provided. If you want to alter the way Tomcat does authentication/authorization, then you need to alter the container's security layer. In order to do that, you will need to dig into the Tomcat code to understand how it works. If you need pointers, let me know.

          happy coding, cgriffith