This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes JAAS login servlet Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "JAAS login servlet" Watch "JAAS login servlet" New topic
Author

JAAS login servlet

Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
Hello all,

I'm attempting to perform a JAAS login via a servlet. I'm not using a FORM based login, but I'm passing the username and password as request parameters. I'm going off examples in the Java Servlet & JSP Cookbook, but here is a code snippet:



The authentication works and my custom LoginModule class sets separate User and Role Principals in the Subject, however it doesn't seem to be maintained in the session - when I try to access other pages in the protected resource it won't let me. Calling request.isUserInRole(), getUserPrincipal() returns false and null, respectively.

Is there a session attribute I have to manually set when authentication succeeds, for this to work? Or shouldn't JAAS do that automatically?
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Hi Alan Sunley:

Here is my best shot.

JAAS has got nothing to do with HTTPSessions , you yourself need to take care of the authenticated subject which you get out of the process that you have mentioned.

I guess that by protected resource you mean the protection that you give to your application resources through mapping appropriately in web.xml.If that is the case then those have to go though the mechanism mentioned by the container vendor.

I am not sure but if you are using Tomcat 5 and above then you might want to use JAAS realm.


Rahul Bhattacharjee
LinkedIn - Blog
Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
Thanks Rahul,

Yes, I've defined a protected resource in web.xml. I've experimented with FORM based login and it works, that is isUserInRole() and getUserPrincipal() works as it should.

The thing is, in the web application rather than trying to access a protected resource directly, via a url link, a user first goes to a login page to access the resource - the servlet authenticates the user then forwards to the appropriate url, at least that's how I want it to work (I can access the forwarded page, but trying to access other pages in the protected area fails). With FORM I can't access the login page directly.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
When you used container based authentication then you have to set some realm that does the actual authentication.Even if you set it for Form based authentication then also you have to set as what would be the approach for authentication.

Which servlet container and which releam are you using ?
Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
I'm using Tomcat 5.5 and have a JAASRealm set in META-INF/context.xml:



If the JAASRealm is being used I don't understand why isUserInRole() won't work.
[ September 09, 2007: Message edited by: Alan Sunley ]
Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
A few questions, if I may:

If I define protected areas in the web.xml, does that mean I have to implement a login-config as well? i.e a FORM login.

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


I'm thinking that my best approach at the moment is to go with my original JAAS servlet and, if the user is authenticated, store the Subject as a session attribute. Then attach a filter to the servlets that access 'protected' areas, which checks the session subject attribute for the required role. (most access to protected resources in my webapp is through servlets, rather than direct url links).

Would that be bad practice though?
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Originally posted by Alan Sunley:

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


True.

Lets wait for some more comments.Slow response might be due to weekend.
All the best.
Guilherme Elizeire
Greenhorn

Joined: Jun 16, 2011
Posts: 1
any news at this topic? I think you guys already waited enough hehehe
 
 
subject: JAAS login servlet
 
Similar Threads
JAAS and Tomcat container managed authentication
login context propogation from WEB to EJB
JAAS and Tomcat
jaas - Authentication in websphere 5.0
looking for a simple configuration file (JAAS)