jQuery in Action, 2nd edition*
The moose likes JBoss/WildFly and the fly likes Force web app request/user through JAAS login (Bug in cache and timeout?) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Force web app request/user through JAAS login (Bug in cache and timeout?)" Watch "Force web app request/user through JAAS login (Bug in cache and timeout?)" New topic
Author

Force web app request/user through JAAS login (Bug in cache and timeout?)

andrew ennamorato
Ranch Hand

Joined: Oct 03, 2007
Posts: 100
There is a little back story in an older post, but here is the gist.

We have a web application that uses PKI certs to control user access. Typically, we use custom JSTL libs to verify the user has the proper roles to access the requested .jsp. However, this forces us to include authentication/authorization code into every page, which isn't the best solution.

Instead, we'd like to handle this in the application server (JBoss 4.2.2 in our case). We already use a security domain for EJBs and we'd like to extend this to the web tier.

My attempt at doing this (see old post) had a few problems, but that was mostly just developer error. However, since then, I had problems forcing the users request to authenticate via the JAAS process on each web request.
For example, a user would go to http://jboss/secure/secure.jsp, and his certificate would be passed to my custom login module via HTTP header and the user would be authenticate. However, if the user then requested http://jboss/secure2.jsp, the custom login module would not be accessed. This seemed to be because JBoss caches login credentials.

That page recommends setting the default cache timeout to 0, in order to force authentication/authorization each time. While this does work for the web requests, it breaks our EJBs. If, for example, a servlet makes a single call to an EJB and then exits, it works fine. If we make a call to two EJBs, then it fails.

It is possible that this is a bug in the JAAS code within JBoss (I can't seem to find the URLs/JIRA issue that relate at this time), but my bigger question is whether this is the best way to force each web request through an authentication and authorization process? For each request, we need to verify the user has the proper roles? Is this the best way to do it? Or is there any approach I should use?

Thanks...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Force web app request/user through JAAS login (Bug in cache and timeout?)
 
Similar Threads
Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?
Single Sign-on across web-apps
Swing client communication...
To Authors: example of a JAAS implementation
What does using JAAS buy me?