We have a web application that uses PKI certs to control user access. Typically, we use custom JSTL libs to verify the user has the proper roles to access the requested .jsp. However, this forces us to include authentication/authorization code into every page, which isn't the best solution.
Instead, we'd like to handle this in the application server (JBoss 4.2.2 in our case). We already use a security domain for EJBs and we'd like to extend this to the web tier.
My attempt at doing this (see old post) had a few problems, but that was mostly just developer error. However, since then, I had problems forcing the users request to authenticate via the JAAS process on each web request.
For example, a user would go to http://jboss/secure/secure.jsp, and his certificate would be passed to my custom login module via HTTP header and the user would be authenticate. However, if the user then requested http://jboss/secure2.jsp, the custom login module would not be accessed. This seemed to be because JBoss caches login credentials.
That page recommends setting the default cache timeout to 0, in order to force authentication/authorization each time. While this does work for the web requests, it breaks our EJBs. If, for example, a servlet makes a single call to an EJB and then exits, it works fine. If we make a call to two EJBs, then it fails.
It is possible that this is a bug in the JAAS code within JBoss (I can't seem to find the URLs/JIRA issue that relate at this time), but my bigger question is whether this is the best way to force each web request through an authentication and authorization process? For each request, we need to verify the user has the proper roles? Is this the best way to do it? Or is there any approach I should use?