2 Replies Latest reply on Feb 17, 2009 4:32 PM by Vijay P

    Can I create a login .war module that my other .war modules

    Andy Conn Newbie

      I have a created a custom login module to authenticate against our domino server. Rather than have to (redundant) setup security in each and every web module, can I just deploy the login functionality as a stand-alone web module that my other web modules leverage?

      Sorry if this is a newbie question!



        • 1. Re: Can I create a login .war module that my other .war modu
          Ragav Gomatam Novice

          Answer is no. Make it a Custom Jaas Module & sprinkle

           Security constraint testing using custom Jaas Module
           <description>Only let the authenticated users login</description>
           <description>Determines the transport layer security</description>
           <description>The Only Secure Role</description>
           <description>Another Secure Role</description>
          tags in your web.xml and


          jboss-web.xml. You are set.

          • 2. Re: Can I create a login .war module that my other .war modu
            Vijay P Newbie

            We have a solution for Web applications deployed on same JBoss Instance to delegate Authentication to different co-hosted web application.

            Essentially For Web Application/Module ABC1, ABC2, , a Servlet Filter checks for Request/Session parameters (for example USER_NAME, etc). If the Servlet Filter does not find a user in request/session, then it forwards the Request to the LOGON_XYZ Web App responsible for Authentication.

            The LOGON_XYZ web application authenticates the User by validating the credentials provided by the User.

            Once the User is successfully Authenticated, the LOGON_XYZ web application a) Sets the User information in the Request b) forwards the Request to the ABC1 web application. The ABC1 Web app Servlet Filter checks and finds a User in the Request and allows User to continue to the requested page flow.

            The Servlet Filter code is somewhat like this

            package somepackage;
            import java.io.IOException;
            import javax.servlet.Filter;
            import javax.servlet.FilterChain;
            import javax.servlet.FilterConfig;
            import javax.servlet.RequestDispatcher;
            import javax.servlet.ServletContext;
            import javax.servlet.ServletException;
            import javax.servlet.ServletRequest;
            import javax.servlet.ServletResponse;
            import javax.servlet.http.HttpServletRequest;
            import javax.servlet.http.HttpSession;
             * MyServletFilter intercepts host web applications requests inspects to verify if a User is logged in.
             * If a User is not logged in to the Host web application, the User is forwarded to the LOGON_XYZ Web application for Authentication.
             * @author parmarv
            public class MyServletFilter implements Filter {
             private FilterConfig filterConfig = null;
             // This method is called once on server startup
             public void init(FilterConfig filterConfig) {
             this.filterConfig = filterConfig;
             // This method is called once on server shut down
             public void destroy() {
             this.filterConfig = null;
             public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain chain) throws IOException, ServletException {
             // Check if Attribute for this SessionID is available in the ServletContext.
             boolean invokeLOGON_XYZ = false;
             if (request instanceof HttpServletRequest) {
             HttpSession session = ((HttpServletRequest) request)
             if (session != null && session.isNew()) {
             // Invoke LOGON_XYZ.
             invokeLOGON_XYZ = true;
             } else {
             // Check For User in Session
             if (session.getAttribute("USER_NAME_TOKEN_OR_ID") == null) {
             // User is not logged in since USER_NAME_TOKEN_OR_ID is not available.
             // Invoke LOGON_XYZ
             invokeLOGON_XYZ = true;
             // User is logged in since USER_NAME_TOKEN_OR_ID is available.
             // Continue normal operation
             chain.doFilter(request, response);
             if (filterConfig != null) {
             String appContextLOGON_XYZ = filterConfig.getInitParameter("LOGON_XYZ_CONTEXT");
             String dispatchPath = "/ABC1_User_home.jsp";
             ServletContext sc = this.filterConfig.getServletContext().getContext("/"+appContextLOGON_XYZ);
             RequestDispatcher rd = sc.getRequestDispatcher(dispatchPath);
             rd.forward(request, response);
             chain.doFilter(request, response);

            This solution only works for Web application that DO NOT use JBoss Container Managed Security. This solution is advisable for a work around solution only. I am currently working on a solution for the same for the current issue for my project.

            I have posted this solution only to show that it is possible to use a second web app to delegate the authentication logic to.