2 Replies Latest reply on Feb 17, 2009 4:32 PM by Vijay P

    Can I create a login .war module that my other .war modules

    Andy Conn Newbie

      I have a created a custom login module to authenticate against our domino server. Rather than have to (redundant) setup security in each and every web module, can I just deploy the login functionality as a stand-alone web module that my other web modules leverage?

      Sorry if this is a newbie question!

      Thanks,

      Andy

        • 1. Re: Can I create a login .war module that my other .war modu
          Ragav Gomatam Novice

          Answer is no. Make it a Custom Jaas Module & sprinkle

          <security-constraint>
           <web-resource-collection>
           <web-resource-name>SecurePages</web-resource-name>
           <description>
           Security constraint testing using custom Jaas Module
           </description>
           <url-pattern>/jsp/secure.jsp</url-pattern>
           <http-method>POST</http-method>
           <http-method>GET</http-method>
           </web-resource-collection>
           <auth-constraint>
           <description>Only let the authenticated users login</description>
           <role-name>admin</role-name>
           <role-name>webAdmin</role-name>
           </auth-constraint>
           <user-data-constraint>
           <description>Determines the transport layer security</description>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
           </security-constraint>
           <login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>JaasRealm</realm-name>
           </login-config>
           <security-role>
           <description>The Only Secure Role</description>
           <role-name>admin</role-name>
           </security-role>
           <security-role>
           <description>Another Secure Role</description>
           <role-name>webAdmin</role-name>
           </security-role>
          tags in your web.xml and

          <security-domain>java:/jaas/MyJaas</security-domain>


          jboss-web.xml. You are set.

          • 2. Re: Can I create a login .war module that my other .war modu
            Vijay P Newbie

            We have a solution for Web applications deployed on same JBoss Instance to delegate Authentication to different co-hosted web application.


            Essentially For Web Application/Module ABC1, ABC2, , a Servlet Filter checks for Request/Session parameters (for example USER_NAME, etc). If the Servlet Filter does not find a user in request/session, then it forwards the Request to the LOGON_XYZ Web App responsible for Authentication.

            The LOGON_XYZ web application authenticates the User by validating the credentials provided by the User.

            Once the User is successfully Authenticated, the LOGON_XYZ web application a) Sets the User information in the Request b) forwards the Request to the ABC1 web application. The ABC1 Web app Servlet Filter checks and finds a User in the Request and allows User to continue to the requested page flow.

            The Servlet Filter code is somewhat like this


            package somepackage;
            
            import java.io.IOException;
            import javax.servlet.Filter;
            import javax.servlet.FilterChain;
            import javax.servlet.FilterConfig;
            import javax.servlet.RequestDispatcher;
            import javax.servlet.ServletContext;
            import javax.servlet.ServletException;
            import javax.servlet.ServletRequest;
            import javax.servlet.ServletResponse;
            import javax.servlet.http.HttpServletRequest;
            import javax.servlet.http.HttpSession;
            
            /**
             *
             * MyServletFilter intercepts host web applications requests inspects to verify if a User is logged in.
             * If a User is not logged in to the Host web application, the User is forwarded to the LOGON_XYZ Web application for Authentication.
             * @author parmarv
             *
             */
            
            public class MyServletFilter implements Filter {
            
            
             private FilterConfig filterConfig = null;
            
             // This method is called once on server startup
             public void init(FilterConfig filterConfig) {
             this.filterConfig = filterConfig;
             }
             // This method is called once on server shut down
             public void destroy() {
             this.filterConfig = null;
             }
            
             public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain chain) throws IOException, ServletException {
            
             // Check if Attribute for this SessionID is available in the ServletContext.
             boolean invokeLOGON_XYZ = false;
             if (request instanceof HttpServletRequest) {
             HttpSession session = ((HttpServletRequest) request)
             .getSession(true);
             if (session != null && session.isNew()) {
             // Invoke LOGON_XYZ.
             invokeLOGON_XYZ = true;
             } else {
             // Check For User in Session
             if (session.getAttribute("USER_NAME_TOKEN_OR_ID") == null) {
             // User is not logged in since USER_NAME_TOKEN_OR_ID is not available.
             // Invoke LOGON_XYZ
             invokeLOGON_XYZ = true;
             }else{
             // User is logged in since USER_NAME_TOKEN_OR_ID is available.
             // Continue normal operation
             chain.doFilter(request, response);
             }
             if(invokeLOGON_XYZ){
             if (filterConfig != null) {
             String appContextLOGON_XYZ = filterConfig.getInitParameter("LOGON_XYZ_CONTEXT");
             String dispatchPath = "/ABC1_User_home.jsp";
             ServletContext sc = this.filterConfig.getServletContext().getContext("/"+appContextLOGON_XYZ);
             RequestDispatcher rd = sc.getRequestDispatcher(dispatchPath);
             rd.forward(request, response);
             return;
             }
             }
             }
             }
             chain.doFilter(request, response);
             return;
             }
            }
            
            


            This solution only works for Web application that DO NOT use JBoss Container Managed Security. This solution is advisable for a work around solution only. I am currently working on a solution for the same for the current issue for my project.

            I have posted this solution only to show that it is possible to use a second web app to delegate the authentication logic to.

            HTH,

            vparmar