I'm attempting to perform a JAAS login via a servlet. I'm not using a FORM based login, but I'm passing the username and password as request parameters. I'm going off examples in the Java Servlet & JSP Cookbook, but here is a code snippet:
The authentication works and my custom LoginModule class sets separate User and Role Principals in the Subject, however it doesn't seem to be maintained in the session - when I try to access other pages in the protected resource it won't let me. Calling request.isUserInRole(), getUserPrincipal() returns false and null, respectively.
Is there a session attribute I have to manually set when authentication succeeds, for this to work? Or shouldn't JAAS do that automatically?
JAAS has got nothing to do with HTTPSessions , you yourself need to take care of the authenticated subject which you get out of the process that you have mentioned.
I guess that by protected resource you mean the protection that you give to your application resources through mapping appropriately in web.xml.If that is the case then those have to go though the mechanism mentioned by the container vendor.
I am not sure but if you are using Tomcat 5 and above then you might want to use JAAS realm.
Yes, I've defined a protected resource in web.xml. I've experimented with FORM based login and it works, that is isUserInRole() and getUserPrincipal() works as it should.
The thing is, in the web application rather than trying to access a protected resource directly, via a url link, a user first goes to a login page to access the resource - the servlet authenticates the user then forwards to the appropriate url, at least that's how I want it to work (I can access the forwarded page, but trying to access other pages in the protected area fails). With FORM I can't access the login page directly.
When you used container based authentication then you have to set some realm that does the actual authentication.Even if you set it for Form based authentication then also you have to set as what would be the approach for authentication.
Which servlet container and which releam are you using ?
If I define protected areas in the web.xml, does that mean I have to implement a login-config as well? i.e a FORM login.
Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).
I'm thinking that my best approach at the moment is to go with my original JAAS servlet and, if the user is authenticated, store the Subject as a session attribute. Then attach a filter to the servlets that access 'protected' areas, which checks the session subject attribute for the required role. (most access to protected resources in my webapp is through servlets, rather than direct url links).