Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JAAS login servlet

 
Alan Richardson
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello all,

I'm attempting to perform a JAAS login via a servlet. I'm not using a FORM based login, but I'm passing the username and password as request parameters. I'm going off examples in the Java Servlet & JSP Cookbook, but here is a code snippet:



The authentication works and my custom LoginModule class sets separate User and Role Principals in the Subject, however it doesn't seem to be maintained in the session - when I try to access other pages in the protected resource it won't let me. Calling request.isUserInRole(), getUserPrincipal() returns false and null, respectively.

Is there a session attribute I have to manually set when authentication succeeds, for this to work? Or shouldn't JAAS do that automatically?
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Alan Sunley:

Here is my best shot.

JAAS has got nothing to do with HTTPSessions , you yourself need to take care of the authenticated subject which you get out of the process that you have mentioned.

I guess that by protected resource you mean the protection that you give to your application resources through mapping appropriately in web.xml.If that is the case then those have to go though the mechanism mentioned by the container vendor.

I am not sure but if you are using Tomcat 5 and above then you might want to use JAAS realm.
 
Alan Richardson
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Rahul,

Yes, I've defined a protected resource in web.xml. I've experimented with FORM based login and it works, that is isUserInRole() and getUserPrincipal() works as it should.

The thing is, in the web application rather than trying to access a protected resource directly, via a url link, a user first goes to a login page to access the resource - the servlet authenticates the user then forwards to the appropriate url, at least that's how I want it to work (I can access the forwarded page, but trying to access other pages in the protected area fails). With FORM I can't access the login page directly.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When you used container based authentication then you have to set some realm that does the actual authentication.Even if you set it for Form based authentication then also you have to set as what would be the approach for authentication.

Which servlet container and which releam are you using ?
 
Alan Richardson
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm using Tomcat 5.5 and have a JAASRealm set in META-INF/context.xml:



If the JAASRealm is being used I don't understand why isUserInRole() won't work.
[ September 09, 2007: Message edited by: Alan Sunley ]
 
Alan Richardson
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A few questions, if I may:

If I define protected areas in the web.xml, does that mean I have to implement a login-config as well? i.e a FORM login.

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


I'm thinking that my best approach at the moment is to go with my original JAAS servlet and, if the user is authenticated, store the Subject as a session attribute. Then attach a filter to the servlets that access 'protected' areas, which checks the session subject attribute for the required role. (most access to protected resources in my webapp is through servlets, rather than direct url links).

Would that be bad practice though?
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Alan Sunley:

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


True.

Lets wait for some more comments.Slow response might be due to weekend.
All the best.
 
Guilherme Elizeire
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
any news at this topic? I think you guys already waited enough hehehe
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic