3 Replies Latest reply: Nov 29, 2006 1:40 PM by Dan Lee RSS

JAAS - Programmatic Login

faradn Newbie

Programmatic login in JBoss is very straightforward but I'm experiencing inconsistencies between JBoss and WebSphere/Weblogic and I'm concerned that JBoss's implementation, although very easy to use, may not be J2EE complient. I've been developing in JBoss and I'm finding difficulties porting the application because of the inconsistencies.

eg.

In JBoss:
=========

UsernamePasswordHandler handler =
new UsernamePasswordHandler(who, password);

LoginContext lc = null;

try
{
lc = new LoginContext("module-name", handler);
lc.login();

// Everything from here on is automatically associated with
// the Subject authenticated by the login
}
catch (Exception e)
{
// handle exception
}

In WebSphere
============

WSCallbackHandlerImpl handler = new WSCallbackHandlerImpl(who, password);

LoginContext lc = null;

try
{
loginContext = new LoginContext("WSLogin", handler);
loginContext.login();

// To use the authenticated user we must obtain the Subject from
// the LoginContext and call it's 'doAs()' method.

Subject subject = lc.getSubject();
PrivilegedEjbCall action = new PrivilegedEjbCall();
WSSubject.doAs(serverSubject, action);
}
catch (Exception e)
{
// handle exception
}


WebSphere and WebLogic provide what I term 'programmatic authentication', not programmatic login. To use the authenticated user you must use the Subject class's "doAs()" method. (BTW WebSphere provide their own WSSubject to 'workaround a design oversight in Java 2 Security').

Is JBoss's implementation J2EE complient?

I'd like to avoid the doAs() call in WebSphere too, defaulting the authentication credentials to those supplied in the preceding 'LoginContext.login()'. How is this achieved in JBoss and should this possible in other application servers like WebSphere?

many thanks,
Ed