7 Replies Latest reply on Dec 9, 2006 12:43 PM by Scott Stark

    Programmatic Login Advice

    Paul Anderson Newbie

      Hi,

      I am running JBOSS 4.05GA and using FORM based authentication. Everything in my webapp, including the security/authentication is working fine, however, a new requirement has emerged which means that a windows application which opens up a browser and requests a page within my webapp must be able to login. I have setup a JSP for testing (not a protected resource) that accepts a username and password and attempts a programmatic login and then to redirect to the user's homepage within the webapp.

      Here is how I have been trying to get this to work.

      <%
       UsernamePasswordHandler handler = new UsernamePasswordHandler("userxxx","passwordxxx");
       LoginContext lc = null;
      
       try
       {
       lc = new LoginContext("MySecurityRealm", handler);
       lc.login();
       log.info("We're cookin on gas!");
      
       // Everything from here on should automatically be associated with
       // the Subject authenticated by the login
      
       } catch (Exception e) {
       // handle exception
       log.error(e.getMessage());
       }
      
      %>
      <c:redirect url="/homePage.do"/>
      


      I have a custom written login module within "MySecurityRealm" which inherits from DatabaseServerLoginModule and performs my webapp logins. I included debug inside the class to see what was happening and the call by lc.login() in the code above correctly calls and executes a user login within my realm (defined in my login-config.xml) and returns without error. I can see in the server logs the database queries to authenticate the user and get their roles etc. and that these all seem fine, however, I think I must be missing some code as I'm guessing that perhaps the login credentials are not being populated somewhere where they are required as the redirect to homePage.do simply sends me straight back to the normal "FORM based" login of my webapp.

      Can anyone help me out or point me in the direction of what is missing or perhaps suggest an alternative? I've heard that the Jakarta Commons HttpClient API provides methods for performing a programmatic login.... should I be using this instead?

      Any help is greatly appreciated.
      Kind Regards,
      Paul.






        • 2. Re: Programmatic Login Advice
          Paul Anderson Newbie

          Hi,

          ok, I did what Q3 in the security FAQ suggested and put in the following entry within my authentication realm

          <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
           <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
          


          Unfortunately this did not seem to make any difference. Here is some debug from the server log. It's the following 2 lines which I think are a hint that something is still not right.

          [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
          2006-12-01 15:03:47,174 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
          


          Here is the full debug output I've taken it from the redirect to "/homePage.do" in "test.jsp" (which is performing the programmatic login) .

          Any ideas?

          2006-12-01 15:03:47,157 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
          2006-12-01 15:03:47,157 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=null
          2006-12-01 15:03:47,157 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1
          2006-12-01 15:03:47,157 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=text/html;charset=UTF-8
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Pragma=No-cache
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Cache-Control=no-cache
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Expires=Thu, 01 Jan 1970 01:00:00 GMT
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=X-Powered-By=Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Location=https://ami-test.livewire.cc/AMI/homePage.do
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] message=null
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=null
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] status=302
          2006-12-01 15:03:47,158 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================
          2006-12-01 15:03:47,168 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 9DE0C12CF880EEFBDB9282AD73EB67FA
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] REQUEST URI =/AMI/homePage.do
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=null
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] characterEncoding=null
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=null
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contextPath=/AMI
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=JSESSIONID=9DE0C12CF880EEFBDB9282AD73EB67FA
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept-language=en-us
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=ua-cpu=x86
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept-encoding=gzip, deflate
          2006-12-01 15:03:47,168 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=user-agent=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.1; .NET CLR 2.0.50727)
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=host=ami-test.livewire.cc
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=connection=Keep-Alive
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=cookie=JSESSIONID=9DE0C12CF880EEFBDB9282AD73EB67FA
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] locale=en_US
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] method=GET
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] pathInfo=null
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] protocol=HTTP/1.1
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] queryString=null
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteAddr=192.168.85.1
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteHost=192.168.85.1
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=null
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] requestedSessionId=9DE0C12CF880EEFBDB9282AD73EB67FA
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] scheme=https
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] serverName=ami-test.livewire.cc
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] serverPort=443
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] servletPath=/homePage.do
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] isSecure=true
          2006-12-01 15:03:47,169 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
          2006-12-01 15:03:47,170 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Enter, j_username=null
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /AMI/homePage.do
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Common Resources]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Legal Stuff]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /homePage.do --> true
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Common Resources]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Legal Stuff]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /homePage.do --> false
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /homePage.do --> true
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint already satisfied
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '9DE0C12CF880EEFBDB9282AD73EB67FA'
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/login.jsp, pathInfo=null, queryString=null, name=null
          2006-12-01 15:03:47,170 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward
          2006-12-01 15:03:47,170 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-01 15:03:47,170 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-01 15:03:47,174 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-01 15:03:47,174 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
          2006-12-01 15:03:47,174 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
          2006-12-01 15:03:47,174 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
          2006-12-01 15:03:47,174 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 9DE0C12CF880EEFBDB9282AD73EB67FA
          2006-12-01 15:03:47,174 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
          2006-12-01 15:03:47,174 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: null
          2006-12-01 15:03:47,174 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
          2006-12-01 15:03:47,174 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
          2006-12-01 15:03:47,174 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=null
          2006-12-01 15:03:47,174 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1
          2006-12-01 15:03:47,174 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=text/html;charset=UTF-8
          2006-12-01 15:03:47,174 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Pragma=no-cache
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Cache-Control=no-cache
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Expires=Wed, 31 Dec 1969 23:59:59 GMT
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] message=null
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=null
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] status=200
          2006-12-01 15:03:47,175 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================
          





          • 3. Re: Programmatic Login Advice
            Paul Anderson Newbie

            Hi,

            OK, we have a little progress, but there is still a problem.

            I changed the

            <c:redirect url="/homePage.do"/>


            to a

            <jsp:forward page="/homePage.do" />


            and now it does go from test.jsp to the user's homepage within my webapp. Also, things such the user's account balance etc along with various other beans I am putting into the users session all seem to be there, so it does seem to be doing at least some part of the login correctly. However, ALL of the images on the user's homepage do not come through, they are just placeholders. Also, and perhaps a little stranger given the fact that at least some portion of the login process seems to have worked, when you click on a link from the homepage, say "/Account.do?action=view" it again takes me straight back to the login page.

            There must be some information that is somehow not making it through to all parts of the webapp as some things are working and others are not.

            Any ideas?

            Regards,
            Paul.



            • 4. Re: Programmatic Login Advice
              Josh Bouchair Newbie

              I have tried this before with jaas automatic login and was able to login, but after the login and the redirection the security modules loose the information and the user is essentially logged out. I worked with this for about a month and finally gave up and just wrote my own security system then use jboss jaas with non public systems. If any knows how to get this working I would love to hear as well.

              • 5. Re: Programmatic Login Advice
                Paul Anderson Newbie

                Josh, I hear ya, this sounded to me like it was something that should be easily accomplished but I am struggling.

                Surely the admins on here must either know exactly how to do this, or know of a good resource to use on the web which details how to do it. To be honest, I'm astonished that more people haven't need to perform a programmatic login and that there is not a wiki page on here specifically for that.

                I understand that JAAS has tight security rules, but that shouldn't mean it is virtually impossible to work out how to log in a user programmatically from one site to another or from a windows app to a website.

                Is there anybody out there willing to share some tips and tricks on how to get this done?

                Regards,
                Paul.

                • 6. Re: Programmatic Login Advice
                  Paul Anderson Newbie

                  OK,

                  One of the "Admins" is bound to know what this is given this TRACE output.

                  Here is where you can clearly see that the programmatic login is working. It's calling my DBLoginModule, then calling the ClientLoginModule and finally forwarding to the user's homepage.

                  2006-12-05 16:58:39,703 INFO [cc.livewire.jboss.login.DBLoginModule] Entering DBLoginModule !!!!!!!!!!!!!!!!!!!!!!!!!!!!
                  2006-12-05 16:58:39,705 INFO [cc.livewire.jboss.login.DBLoginModule] Logged in user paul OK !!
                  2006-12-05 16:58:39,705 INFO [cc.livewire.jboss.login.DBLoginModule] SESSION_ID:CC617D5EB33DDF849FCCE011CC7F2661
                  2006-12-05 16:58:39,725 TRACE [org.jboss.security.ClientLoginModule] Security domain: AMIRealm
                  2006-12-05 16:58:39,725 TRACE [org.jboss.security.ClientLoginModule] Enabling restore-login-identity mode
                  2006-12-05 16:58:39,725 TRACE [org.jboss.security.ClientLoginModule] Enabling useFirstPass mode
                  2006-12-05 16:58:39,725 TRACE [org.jboss.security.ClientLoginModule] Begin login
                  2006-12-05 16:58:39,728 TRACE [org.jboss.security.ClientLoginModule] commit, subject=Subject:
                   Principal: paul
                   Principal: Roles(members:ami.reseller)
                  
                  2006-12-05 16:58:39,728 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                   Principal: paul
                   Principal: Roles(members:ami.reseller)
                  , sc=org.jboss.security.SecurityAssociation$SubjectContext@1e13ce3{principal=,subject=6592395}
                  2006-12-05 16:58:39,728 INFO [org.apache.jsp.test_jsp] Got past the login call !!.....
                  2006-12-05 16:58:39,729 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/homePage.do, pathInfo=null, queryString=null, name=null
                  2006-12-05 16:58:39,729 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward


                  However, the next click that is made shows some strange things in the server log. It's like the ClientLoginModule never passed on any details at all as when I click on the Logindetails.do?action=change link it automatically is refering me to login.jsp and booting me back to the login page.

                  2006-12-05 17:05:50,400 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is CC617D5EB33DDF849FCCE011CC7F2661
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Process request for '/AMI/LoginDetails.do'
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for SSO cookie
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] SSO cookie is not present
                  2006-12-05 17:05:50,401 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Enter, j_username=null
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /AMI/LoginDetails.do
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /LoginDetails.do --> true
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /LoginDetails.do --> true
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure Content]' against GET /LoginDetails.do --> true
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint already satisfied
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
                  2006-12-05 17:05:50,401 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session 'CC617D5EB33DDF849FCCE011CC7F2661'
                  2006-12-05 17:05:50,402 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/login.jsp, pathInfo=null, queryString=null, name=null
                  2006-12-05 17:05:50,402 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward
                  2006-12-05 17:05:50,402 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                  2006-12-05 17:05:50,402 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                  2006-12-05 17:05:50,409 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                  2006-12-05 17:05:50,409 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
                  2006-12-05 17:05:50,409 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
                  2006-12-05 17:05:50,409 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
                  2006-12-05 17:05:50,409 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: CC617D5EB33DDF849FCCE011CC7F2661
                  2006-12-05 17:05:50,409 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
                  2006-12-05 17:05:50,409 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: null
                  2006-12-05 17:05:50,409 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                  


                  Surely this must be enough info for someone to have a clue as to what the problem is?

                  Here's hoping.
                  Kind Regards,
                  Paul.



                  • 7. Re: Programmatic Login Advice
                    Scott Stark Master

                    You cannot affect the web container security context via programatic login from the web component level. If you want to interact with the security context you need to integrate with the web container using either a tomcat valve, or a custom authenticator.

                    In general it does not make sense for you do be able to do a jaas login in the context of a web app call. Session ids needs to be correlated, and authentication mechanisms like CLIENT-CERT and DIGEST require that the container interact with the caller side.

                    http://wiki.jboss.org/wiki/Wiki.jsp?page=CustomizingSecurityUsingValves
                    http://wiki.jboss.org/wiki/Wiki.jsp?page=ExtendedFormAuthenticator
                    http://wiki.jboss.org/wiki/Wiki.jsp?page=ExternalizeTomcatAuthenticators