1 Reply Latest reply on Jul 10, 2006 8:39 AM by Sohil Shah

    Authenticating user in servlet

    Jochen Boehringer Newbie

      Hi,

      I have a proprietary client which sends a hardware ID in the http request for authenticating the device.

      But we want to use the standard J2EE security mechanisms in our application and use the vendor neutral api request.isUserInRole() and getRemoteUser().

      So I deveolped an Authenticator extending AuthenticatorBase. This authenticator takes the device identifier from the request and looks up a username and password in a device table in the database. So I have a mapping from the device id to a username and password.
      These credentials are used to authenticate the user to the jboss security modules:

      Principal principal = realm.authenticate(username, password);
       if (principal == null) {
       response.sendError(HttpServletResponse.SC_FORBIDDEN);
       return false;
       }
      
       //Save the authenticated Principal in our session
       session.setNote(Constants.SESS_USERNAME_NOTE, principal);
       request.setUserPrincipal(principal);
       request.setAuthType("PENSERIAL");
       return true;


      This approach works, if the device id comes in the request headers of the http request. But unfortunately the device identifier is stored in a multipart request body. So I would have to access the body of the request in the authenticator. But if I access the body in the authenticator the servlet will get streaming errors accessing the body after the authenticator was executed.

      So the aproach with the authenticator does not help me. Is there a possibility to execute a login to the jboss container from inside the servlet so that the request is modified from the container to contain the principal and the isUserInRole method succeeds?

      Something like

      JBossAPI.getSecurityRealm().authenticate(username,password);


      Regards
      Jochen

        • 1. Re: Authenticating user in servlet
          Sohil Shah Master

          Jochen-

          With your custom Authenticator approach,

          did you try doing a browser redirect that sends back the same exact request information back maybe minus the deviceid information, once the authentication is successfull and the user's identity is sucessfully established within the Authenticator?

          I am thinking once the user's identity is established in the container, re-sending the browser request should not break your servlet anymore with streaming issues