• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Force web app request/user through JAAS login (Bug in cache and timeout?)

 
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is a little back story in an older post, but here is the gist.

We have a web application that uses PKI certs to control user access. Typically, we use custom JSTL libs to verify the user has the proper roles to access the requested .jsp. However, this forces us to include authentication/authorization code into every page, which isn't the best solution.

Instead, we'd like to handle this in the application server (JBoss 4.2.2 in our case). We already use a security domain for EJBs and we'd like to extend this to the web tier.

My attempt at doing this (see old post) had a few problems, but that was mostly just developer error. However, since then, I had problems forcing the users request to authenticate via the JAAS process on each web request.
For example, a user would go to http://jboss/secure/secure.jsp, and his certificate would be passed to my custom login module via HTTP header and the user would be authenticate. However, if the user then requested http://jboss/secure2.jsp, the custom login module would not be accessed. This seemed to be because JBoss caches login credentials.

That page recommends setting the default cache timeout to 0, in order to force authentication/authorization each time. While this does work for the web requests, it breaks our EJBs. If, for example, a servlet makes a single call to an EJB and then exits, it works fine. If we make a call to two EJBs, then it fails.

It is possible that this is a bug in the JAAS code within JBoss (I can't seem to find the URLs/JIRA issue that relate at this time), but my bigger question is whether this is the best way to force each web request through an authentication and authorization process? For each request, we need to verify the user has the proper roles? Is this the best way to do it? Or is there any approach I should use?

Thanks...
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic