I'm currently looking into using JAAS for authentication of J2EE webapps. I've got a couple of questions I haven't been able to answer while I've been setting up a test environment on Tomcat 5.5.
1. I've successfully built a jsp page that uses the j_username and j_password fields which submit to j_security_check. I've got a class implementing LoginModule which successfully gets the username from NameCallback and password from PasswordCallback handlers. I've now modified my code implementing custom handlers for username and password. The html form is now submitting login details to a servlet which does the following:
The problem I have is that it doesn't seem that Tomcat knows that I've been authenticated (lc.login() return a Subject with correct user and role) and doesn't allow me to access protected pages that been specified inside the <security-constraint> tag in web.xml. Also request.getRemoteUser() gives me null. It seems that I'm bypassing Tomcat's authentication when I implement a LoginContext in my servlet. Everything works fine when I use the html form that post directly to j_security_check. I'm not sure what's wrong or if I even can do it this way.