5 Replies Latest reply on Jun 13, 2006 4:13 AM by lost traveller

    Problem with Realms login module and custom principal

    lost traveller Newbie

      I'm trying to implement web application wide secruity to secure servlets and EJB's with a custom principal.

      I have Extended UsernamePasswordLoginModule:

      public class MyLoginModule extends UsernamePasswordLoginModule
       private Principal identity;
       public Principal getIdentity() {
       return identity;
       public boolean login() throws LoginException
       NameCallback name = new NameCallback("User name");
       PasswordCallback pwc = new PasswordCallback("Password",
       callbackHandler.handle(new Callback[]{name, pwc});
       String user = name.getName();
       String pass = new String(pwc.getPassword());
       identity = new MyPrincipal(user,pass);

      and I have created a realm:

      public class MyRealm extends org.apache.catalina.realm.JAASRealm
       // overrides super class implementation to return the principal that
       // was created in the login module
       protected Principal createPrincipal(String user, Subject sub)
       Set s = sub.getPrincipals(MyPrincipal.class);
       // get the principal created in the login module
       Principal p = (Principal)s.iterator().next();
       return p;

      All works fine for the duration of the first request/thread, but for subsequent requests/a new thread the username and password returned by the callback handler are null. Could someone tell me what this line of code does:

      org.jboss.web.tomcat.security.SecurityAssociationActions.setPrincipalInfo(principal, certs, subject);

      It seems to do some magic which causes the JBoss EJB layer to remember the username and credentials for subsequent calls to the LoginModule.login() method. Without it subsequent calls to the login() method have a null username and password callback values. This call is in the JBossSecurityMgrRealm but the class is protected so I can't add a call to it in MyRealm.

      Alternativly what am I doing wrong to cause the JBoss EJB layer to 'forget' the username and credential?