Scott's howto is an excellent explanation in the use of JAAS and configuring JBoss
Login Modules, far better than most other application servers.
But it doesnt cover web-application security in much depth and certainly not what you
are after. The need to do additional processing on a logon action or supply varied
error cases arnt covered by the standard authenticators (FORM,BASIC,DIGEST,NONE) in
jetty/tomcat.
So you can either
1) write your own FORM authenticator using
org.apache.catalina.authenticator.FormAuthenticator as a base.
note how the authenticator calls context.getRealm().authenticate(username, password);
this uses org.jboss.web.tomcat.security.JBossSecurityMgrRealm
which handles the JAAS logon based on the domain specified in jboss-web.xml
where
<jboss-web>
<security-domain>java:/jaas/[domainname]</security-domain>
</jboss-web>
OR
2) have your struts action make its authentication calls first as a "pre-auth" before
redirecting a user to j_security_check?j_username=user&j_password=password. the
security check will then log them in properly and redirect back to the originally
requested page.
BUT
It is not possible to use the web-constraint type web authorsation and isUserInRole
without going through an authenticator mainly because when you hit a constraint page
(and getUserPrincipal and isUserInRole will only work on constraint pages) the
authenticator tries to re-auth to the security realm using cached credentials where
Jboss then looks up the subject (principal and roles) from its cache. The thing is, in
tomcat at least, these credentials are cached using Session.setNote by the
authenticator so could never be set by a Servlet like your struts action.
Its a real pain , id be very glad to hear anyone elses ideas on this
Stuart Eccles
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842685#3842685
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842685
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
