• Post Reply Bookmark Topic Watch Topic
  • New Topic

Force web app request/user through JAAS login (Bug in cache and timeout?)  RSS feed

andrew ennamorato
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is a little back story in an older post, but here is the gist.

We have a web application that uses PKI certs to control user access. Typically, we use custom JSTL libs to verify the user has the proper roles to access the requested .jsp. However, this forces us to include authentication/authorization code into every page, which isn't the best solution.

Instead, we'd like to handle this in the application server (JBoss 4.2.2 in our case). We already use a security domain for EJBs and we'd like to extend this to the web tier.

My attempt at doing this (see old post) had a few problems, but that was mostly just developer error. However, since then, I had problems forcing the users request to authenticate via the JAAS process on each web request.
For example, a user would go to http://jboss/secure/secure.jsp, and his certificate would be passed to my custom login module via HTTP header and the user would be authenticate. However, if the user then requested http://jboss/secure2.jsp, the custom login module would not be accessed. This seemed to be because JBoss caches login credentials.

That page recommends setting the default cache timeout to 0, in order to force authentication/authorization each time. While this does work for the web requests, it breaks our EJBs. If, for example, a servlet makes a single call to an EJB and then exits, it works fine. If we make a call to two EJBs, then it fails.

It is possible that this is a bug in the JAAS code within JBoss (I can't seem to find the URLs/JIRA issue that relate at this time), but my bigger question is whether this is the best way to force each web request through an authentication and authorization process? For each request, we need to verify the user has the proper roles? Is this the best way to do it? Or is there any approach I should use?

It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!