7 Replies Latest reply on May 25, 2006 10:46 AM by James Rhodes

    JAAS Container managed versus code managed auth

    James Rhodes Newbie

      Hi all,
      I'm new to JBoss as well as the idea of "container managed" login authentication using stuff like web.xml to protect resources. I come from a java shop that still uses stone knives and bear skins, and handles all things like login and resource protecting in the code using session based cookie solution.
      I've have used JAAS, based on this article:
      http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas.html
      and some of this code:
      http://www.javaworld.com/javaworld/jw-09-2002/jaas/jw-0913-jaas.zip

      I am using this successfully using the Resin application server, but JBoss doesn't like it.

      Basically, I've wrapped the login process in a java bean that gets called on every jsp. The code in the bean checks to make sure the user has a valid session and if not, then it sends them to the login screen. When the user logs in from the log in screen, the Login bean actually uses JAAS to call my custom LoginModule to log the user in, then it sets my SessionLoginContext in the http session as an attribute.
      Each call to the a subsequent page the bean calls "checklogin" which gets the login context from the session and checks to be sure the session has the proper role. if it does, the app carries on, if not, it makes the user log in again.

      I know this may be counter to the container managed way, but it works great and once the user is logged in, they stay logged in until the session goes away. Can I get the same sort of functionality using the container managed way? Can someone please help me figure out where to start. If you see my other post, I have made attempts to configure my custom login module, but Jboss is having trouble recognizing it. That is a separate issue. I'm looking for a good pattern to follow I guess, to use JAAS with http sessions or something like it using the container.

      Thanks!

      B