my dog learned polymorphism
The moose likes Security and the fly likes JAAS and Tomcat container managed authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS and Tomcat container managed authentication " Watch "JAAS and Tomcat container managed authentication " New topic

JAAS and Tomcat container managed authentication

Sven Anderson
Ranch Hand

Joined: Apr 14, 2004
Posts: 58

I'm currently looking into using JAAS for authentication of J2EE webapps. I've got a couple of questions I haven't been able to answer while I've been setting up a test environment on Tomcat 5.5.

1. I've successfully built a jsp page that uses the j_username and j_password fields which submit to j_security_check. I've got a class implementing LoginModule which successfully gets the username from NameCallback and password from PasswordCallback handlers. I've now modified my code implementing custom handlers for username and password. The html form is now submitting login details to a servlet which does the following:

The problem I have is that it doesn't seem that Tomcat knows that I've been authenticated (lc.login() return a Subject with correct user and role) and doesn't allow me to access protected pages that been specified inside the <security-constraint> tag in web.xml. Also request.getRemoteUser() gives me null. It seems that I'm bypassing Tomcat's authentication when I implement a LoginContext in my servlet. Everything works fine when I use the html form that post directly to j_security_check. I'm not sure what's wrong or if I even can do it this way.

Many Thanks
I agree. Here's the link:
subject: JAAS and Tomcat container managed authentication
It's not a secret anymore!