2 Replies Latest reply on Jan 14, 2005 4:12 PM by Scott Stark

    JAAS Security

    Steve Buster Newbie

      Can someone explain to me how the security credentials (Subject/Principal etc) are set on the HttpServletRequest object with respect to J2EE/JAAS? For example, most app servers use JAAS login modules to connect into an LDAP/Database. But once that authentication is done, how are those object populated into hte HttpServletRequest, so when I call request.getUserPrincipal I get the correct objects back.


        • 1. Re: JAAS Security
          J Singh Newbie

          I am very interested in this too. I am trying to build in authentication into my webapp. It apears that the subject is lost between requests. I thought, once authenticated a subject lasts for teh duration of the session. In my scenario I invoke a prtected JSP and am taken to my form based log on age. I log on no problem. I now invoke an unprotected page. I try and access the subject but a null is return. When I again invoke a protected page I am asked to log on again! Surely this is teh incorrect behaviour.

          • 2. Re: JAAS Security
            Scott Stark Master

            Read the JAAS howto where it talks about the web tier security integration. Unless you are under a uri secured via a security constraint there does not have to be a principal associated with the request.