Version 10

    Web Authentication (Programmatic Web Login)


    Author : Anil Saldhana

    JIRA Issue:

    Availability: JBoss 4.2.0.GA onwards

    Original Discussion:




    Users sometime want to authenticate against the web container from their web components, eg: servlets. The new class called as "" can be used for this purpose.


    API Description

    public boolean login(X509Certificate{FOOTNOTE DEF  } certs)

    Can be used for CLIENT-CERT scenario

    public boolean login(String username, Object credential)

    Can be used either for DIGEST, FORM or BASIC scenarios

    public void logout()

    Log the user out - disassociates the principal from the request as well as session



    //Get the user name and password based on some attributes from your FORM post
    String username = request.getParameter("username"); //username can be any attribute
    String pass = request.getParameter("pass"); //pass can be any attribute
    if(username == null || pass == null)
    throw new RuntimeException("username or password is null");
    WebAuthentication pwl = new WebAuthentication();
    pwl.login(username, pass);
    //Only when there is web login, does the principal be visible
    log("User Principal="+request.getUserPrincipal());
    //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
    log("isUserInRole(Authorized User)="+request.isUserInRole("AuthorizedUser"));
    if(request.getUserPrincipal() == null || !request.isUserInRole("AuthorizedUser"))
    throw new ServletException("User is not authenticated or the isUserInRole check failed");
    //Log the user out
    if(request.getUserPrincipal() != null || request.isUserInRole("AuthorizedUser"))
    throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");


    Programmatic Single Sign On


    Starting with JBoss 4.2.3 an SSO token can be automatically generated when a client is authenticated by the


    class. This means that applications that do programmatic authentication are now capable of associating an SSO token to the client's session, allowing its clients to interact with other SSO-enabled applications without the need to re-authenticate. This capability is enabled by the configuration of an SSO valve, as follows:


    JBoss 4.2.3 onwards: edit the deploy/jboss-web.deployer/server.xml file and include the



        <Valve className="" debug="0"></Valve>

    Note: make sure the standard


    valve is not active, as the


    valve extends this valve, and thus provides all SSO functionality needed.


    JBoss 5.0.0.Beta3 onwards: edit the deployers/jbossweb.deployer/server.xml  file and just uncomment the standard



        <!-- Uncomment to enable single sign-on across web apps deployed to this host.
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"></Valve>

    No special valve is needed on JBoss 5.X because some changes were made that allowed the


    to delegate SSO behavior directly to the standard




    Needless to say, when a client performs a programmatic logout the SSO token is disassociated from the client's session, just like a regular SSO logout.


    Referenced by: