1 Reply Latest reply on Feb 14, 2003 5:49 PM by Don Lind

    JAAS Question

    Don Lind Newbie

      I authenticate through JAAS. That works fine. And, after authenticating, the JSP page can get to an EJB and then into my JCA adapter and the JAAS subject is there or the JCA adapter and everything works fine.

      But, on subsequent page hits, there's no JAAS subject to be found. I'd *expect* that once I'd been authenticated, that *somehow* JBoss would associate my credentials with "me" (or my session or my IP address or something) and they'd be automatically available on "my" subsequent page hits without me having to do anything.

      My JSP not very elegant... it's a simple test...
      For test purposes, I've defined a single JSP that accepts an "action" parameter to decide what to do.

      In pseudo code, my JSP looks like this:

      LoginContext lc = null;
      InitialContext ic = null;

      if action="prompt" {
      <spit out a simple HTML form to accept id/pwd>
      ... and the button sets the action param to "validate"
      }

      if action="validate" {
      CallbackHandler cbh =
      new CallbackHandler(params from the prompt form)
      lc = new LoginContext("eProcessClientRealm", cbh);
      lc.login();
      ... spit out a button that sets the action param to "query"
      }

      if action="query" }
      ic = new InitialContext();

      TestHome home = (TestHome)ic.lookup
      ("java:comp/env/TestBean");
      test = home.create();
      bean_results = test.mytest("", ""); // call the bean
      ... generate html for results...
      }

      if (action = "logout") {
      lc.logout();
      }

      If I put the code in the "query" block within the "validate" block everything works fine (the JAAS stuff is handled perfectly). But if I code it as above, where after the "validate" step, I make another page hit to get to the bean to run, I get a "principal=null" exception. And, I can see that org.jboss.security.SecurityAssociation.principal is indeed null, as are the Principals and Credentials within my Subject.

      I'm relatively new to JAAS and JSPs... I could write the code to store the name/password info in a cookie, or keep it in hidden params for each JSP page call... but surely, that's what JAAS is supposed to do for me automatically?

      Right?

      Any ideas on what I might be configuring incorrectly?

      Or am I just expecting things from JAAS that aren't there?

      Thanks!

      Don

        • 1. Re: JAAS Question
          Don Lind Newbie

          OK... I found the answer.

          I don't want <auth-method>BASIC</auth-method> in web.xml. I want <auth-method>FORM</auth-method>.

          Specifying FORM (and adding references to a login.html and an error.html) is what triggers the app server to do recognize that I'm logged in on this session. Then, subsequent page hits work fine.

          That also means that in my jsp, I can skip the "prompt" and "validate" steps... that mean's that I don't bother with getting the LoginContext and creating a callback handler and doing the login call. JBoss takes care of that for me now. Plus, I get my credentials managed the way I wanted (over multiple page hits).

          This reference was helpful:
          http://www.luminis.nl/publications/websecurity.html

          Hope this helps others sometime...

          Don