This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Oracle/OAS and the fly likes Custom Login Modules Break COTS J2EE Application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Oracle/OAS
Bookmark "Custom Login Modules Break COTS J2EE Application" Watch "Custom Login Modules Break COTS J2EE Application" New topic

Custom Login Modules Break COTS J2EE Application

Frank Griffith

Joined: Apr 28, 2004
Posts: 10
Hello... I'm posting this here because I've already tried the OTN forum... any help is greatly appreciated...

I'm using a custom login module to authenticate users of a COTS J2EE application. The authentication works like a charm, but the COTS app breaks because it uses request.getRemoteUser() to obtain the user name for database lookups.

When the custom login is in use, request.getRemoteUser() returns "[JAZNUserAdaptor: user=theuser]" instead of simply the user name (this differs from the standard XML provider, which returns only the user name).

I used the sample login module from the Oracle documentation almost verbatim, the method is included below.

Does anyone know why getRemoteUser() returns "[JAZNUserAdaptor: user=theuser]" and not just the user name? And how to make it stop doing that?

public boolean login() throws LoginException {
throw new LoginException("Error: no CallbackHandler available "
+ "to garner authentication information from the user");

// Setup default callback handlers.
Callback[] callbacks = new Callback[] { new NameCallback("Username: "),
new PasswordCallback("Password: ", false) };

try {
} catch (Exception e) {
_succeeded = false;
throw new LoginException(e.getMessage());

String username = ((NameCallback) callbacks[0]).getName();
String password = new String(((PasswordCallback) callbacks[1]).getPassword());

if (isValidUser(username, password)) {

_succeeded = true;
_password = password.toCharArray();
_name = username;

_authPrincipals = new CMPrincipal[2];
_authPrincipals[0] = new CMPrincipal(_name);
_authPrincipals[1] = new CMPrincipal("SecurityRole");


((PasswordCallback) callbacks[1]).clearPassword();
callbacks[0] = null;
callbacks[1] = null;

if (!_succeeded) {
System.out.println("login did not succeed... throwing LoginException...");
throw new LoginException("Authentication failed: Password does not match");

return true;
I agree. Here's the link:
subject: Custom Login Modules Break COTS J2EE Application
Similar Threads
JBoss 5.1.0 GA. FORM based authentication
Is this possible with JAAS, or WebSphere even for that matter?
Using cookies in JAAS to extend a Single Sign On
EJB Security: Not getting correct name in Principal
Tomcat JAAS Authentication NullPointerException