Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Oracle/OAS and the fly likes Custom Login Modules Break COTS J2EE Application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Oracle/OAS
Bookmark "Custom Login Modules Break COTS J2EE Application" Watch "Custom Login Modules Break COTS J2EE Application" New topic

Custom Login Modules Break COTS J2EE Application

Frank Griffith

Joined: Apr 28, 2004
Posts: 10
Hello... I'm posting this here because I've already tried the OTN forum... any help is greatly appreciated...

I'm using a custom login module to authenticate users of a COTS J2EE application. The authentication works like a charm, but the COTS app breaks because it uses request.getRemoteUser() to obtain the user name for database lookups.

When the custom login is in use, request.getRemoteUser() returns "[JAZNUserAdaptor: user=theuser]" instead of simply the user name (this differs from the standard XML provider, which returns only the user name).

I used the sample login module from the Oracle documentation almost verbatim, the method is included below.

Does anyone know why getRemoteUser() returns "[JAZNUserAdaptor: user=theuser]" and not just the user name? And how to make it stop doing that?

public boolean login() throws LoginException {
throw new LoginException("Error: no CallbackHandler available "
+ "to garner authentication information from the user");

// Setup default callback handlers.
Callback[] callbacks = new Callback[] { new NameCallback("Username: "),
new PasswordCallback("Password: ", false) };

try {
} catch (Exception e) {
_succeeded = false;
throw new LoginException(e.getMessage());

String username = ((NameCallback) callbacks[0]).getName();
String password = new String(((PasswordCallback) callbacks[1]).getPassword());

if (isValidUser(username, password)) {

_succeeded = true;
_password = password.toCharArray();
_name = username;

_authPrincipals = new CMPrincipal[2];
_authPrincipals[0] = new CMPrincipal(_name);
_authPrincipals[1] = new CMPrincipal("SecurityRole");


((PasswordCallback) callbacks[1]).clearPassword();
callbacks[0] = null;
callbacks[1] = null;

if (!_succeeded) {
System.out.println("login did not succeed... throwing LoginException...");
throw new LoginException("Authentication failed: Password does not match");

return true;
I agree. Here's the link:
subject: Custom Login Modules Break COTS J2EE Application
It's not a secret anymore!