File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Force web app request/user through JAAS login (Bug in cache and timeout?) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Force web app request/user through JAAS login (Bug in cache and timeout?)" Watch "Force web app request/user through JAAS login (Bug in cache and timeout?)" New topic
Author

Force web app request/user through JAAS login (Bug in cache and timeout?)

andrew ennamorato
Ranch Hand

Joined: Oct 03, 2007
Posts: 100
There is a little back story in an older post, but here is the gist.

We have a web application that uses PKI certs to control user access. Typically, we use custom JSTL libs to verify the user has the proper roles to access the requested .jsp. However, this forces us to include authentication/authorization code into every page, which isn't the best solution.

Instead, we'd like to handle this in the application server (JBoss 4.2.2 in our case). We already use a security domain for EJBs and we'd like to extend this to the web tier.

My attempt at doing this (see old post) had a few problems, but that was mostly just developer error. However, since then, I had problems forcing the users request to authenticate via the JAAS process on each web request.
For example, a user would go to http://jboss/secure/secure.jsp, and his certificate would be passed to my custom login module via HTTP header and the user would be authenticate. However, if the user then requested http://jboss/secure2.jsp, the custom login module would not be accessed. This seemed to be because JBoss caches login credentials.

That page recommends setting the default cache timeout to 0, in order to force authentication/authorization each time. While this does work for the web requests, it breaks our EJBs. If, for example, a servlet makes a single call to an EJB and then exits, it works fine. If we make a call to two EJBs, then it fails.

It is possible that this is a bug in the JAAS code within JBoss (I can't seem to find the URLs/JIRA issue that relate at this time), but my bigger question is whether this is the best way to force each web request through an authentication and authorization process? For each request, we need to verify the user has the proper roles? Is this the best way to do it? Or is there any approach I should use?

Thanks...
 
wood burning stoves
 
subject: Force web app request/user through JAAS login (Bug in cache and timeout?)