After you get the valid login, stick the username and password into the session and then have the filter validate that on every subsequent request into the web server.
It doesn't get put into the http request session automagically, you gotta make it happen.
Sorry, rereading what I wrote and it doesn't make sense. The Principal can be got from the request after successful authentication by calling
After successful authentication Principal is cached till the expiry of HttpSession -- no need for extra authentication till session expires.
But if you have other special requirements like preventing multiple sign on from different clients and such, then you'd have to to some work.
Sorry, rereading what I wrote and it doesn't make sense.
It indeed doesn't make sense, yet I'm having the same problem. Everything seems to work fine. The security context is even propagated correctly to the EJB container if I call an EJB in the same request, but in the next request all authentication info seems to be gone.
I'm using Jboss AS 5.1 and trying this is a very simple app with 1 page and 2 classes.
This is a common problem in Jboss AS 5.1.
If you look better at the sesison (using a debugger) you'll find that the session object internally actually does remember the login, but it's just the request object that isn't updated with this knowledge. If I'm not mistaken, EJBs also remember that you're still logedin, i.e. the security context still propagates correctly to the EJB layer, even if the request.getUserPrincipal method is already returning null.
After digging a little bit further into this, it appears that the request object only gets updated with the login data, if you have 'some' security-constraint in your web.xml. The security constraint doesn't have to make sense though. It can be a completely bogus configuration; it just has to be there.
E.g. I used the following for a project which doesn't make use of container declarative security for pages, but for which it's still necessary to have the security context in EJBs and where backing beans inspect request.isCallerInRole manually.
I added the following to web.xml:
<security-role> <role-name>nobody</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>dontexist</web-resource-name> <description>A pattern that does not exist</description> <url-pattern>/does_not_exist/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Does not exist</description> <role-name>nobody</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>MyRealm</realm-name> </login-config>
After having added this to web.xml, requesting a page again after a programmatic login succesfully returns the principal from the request object.