• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Ron McLeod
  • Tim Cooke
Sheriffs:
  • Devaka Cooray
  • paul wheaton
  • Mark Herschberg
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Frits Walraven
  • Jj Roberts
Bartenders:
  • Carey Brown
  • salvin francis
  • Piet Souris

FORM based JAAS authentication. LoginHandler needs more info.

 
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a LoginHandler which is being called by JBoss to authenticate the login form.

The problem is, that it needs more information from the form than just the j_username and j_password.

It also needs a "company name" parameter too.

Also, it realy needs some parameters from the originally requested URL which specify some back end server details to enable the connection and login to take place. The connection to the server is cached in the HttpSession.

I can't see how to do this. An unlogged in request is intercepted before any declared Filters, and JBoss's CallbackHandler only accepts UsenameCallback, and PasswordCallback.

Before, when I used a Filter to control access, I set up my own CallbackHandler to pass into the LoginContext which accepted new subclasses of Callback so it provided access to the HttpSession (and therefore all attributes in it), so the LoginModule could do anything.

With container-managed authentication, all you get is the username and password. How can this be adequate in 100% of cases?! It's just not good enough!
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nobody has any ideas???

This is a common situation - a lot of places use more than just username/passsword.

I need access to the HttpSession in my LoginModule.
 
Ranch Hand
Posts: 293
Mac OS X Netbeans IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does this help?

http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well spotted. I've been looking through the wiki, but unless you know what you are looking for, then finding it is pretty difficult.

Well, it works like a charm!

HOw on earth did you find that incantation? I've been harassing the posters on the jboss.org forums for a week now, and nobody, not even the JBoss developers came up with anything!
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That really saved our bacon, and we're back on track.

One problem though.

The web app does not have access to the javax.security.auth.login.LoginContext that JBoss created to perform the login.

So it cannot explicitly log out!

How does any JAAS-secured web app under JBoss ever log out?
 
Dave Salter
Ranch Hand
Posts: 293
Mac OS X Netbeans IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you not need to invalidate the web session to log out?
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Someone else suggested this to me, so I tried it.

Calling session.invalidate() does not cause the container to invoke the logout() method of my LoginModule. Even though the container called the login() and commit() methods.

This is a really strange omission. Surely, there is a way to explicitly request the container to log the current session out. The container surely maintains the LogniContext object somewhere!?

(Thanks for your help on this by the way...)
[ December 21, 2005: Message edited by: John Smith ]
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, after much searching, I randomly stumbled across the correct incantation to be able to log out using session.invalidate():

in jboss-web.xml



So now, I can log out when they click the logout link.

Great.

Next up, how to programatically determine whether a URL is available to the current user.

I'm of course using container-managed authorization, but it's no good outputting a link only to have the user click on it, and be tipped into the error page by JBoss. I want to have a custom tag for links which does not output any HTML if the URL is not accessible to the current user.

Any ideas?

[size=9]No doubt, I'll find the incantation at some random site given enough searching...[/size
 
John Smith
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, I've found it:

in my JAAS LoginModule:



So, I can pull the LogniModule out of the session anywhere, and see if any URL is going to be allowed.
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does anyone know how we can do this in Weblogic
 
Bring out your dead! Or a tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic