3 Replies Latest reply on Nov 29, 2006 1:40 PM by danlee

    JAAS - Programmatic Login

    faradn

      Programmatic login in JBoss is very straightforward but I'm experiencing inconsistencies between JBoss and WebSphere/Weblogic and I'm concerned that JBoss's implementation, although very easy to use, may not be J2EE complient. I've been developing in JBoss and I'm finding difficulties porting the application because of the inconsistencies.

      eg.

      In JBoss:
      =========

      UsernamePasswordHandler handler =
      new UsernamePasswordHandler(who, password);

      LoginContext lc = null;

      try
      {
      lc = new LoginContext("module-name", handler);
      lc.login();

      // Everything from here on is automatically associated with
      // the Subject authenticated by the login
      }
      catch (Exception e)
      {
      // handle exception
      }

      In WebSphere
      ============

      WSCallbackHandlerImpl handler = new WSCallbackHandlerImpl(who, password);

      LoginContext lc = null;

      try
      {
      loginContext = new LoginContext("WSLogin", handler);
      loginContext.login();

      // To use the authenticated user we must obtain the Subject from
      // the LoginContext and call it's 'doAs()' method.

      Subject subject = lc.getSubject();
      PrivilegedEjbCall action = new PrivilegedEjbCall();
      WSSubject.doAs(serverSubject, action);
      }
      catch (Exception e)
      {
      // handle exception
      }


      WebSphere and WebLogic provide what I term 'programmatic authentication', not programmatic login. To use the authenticated user you must use the Subject class's "doAs()" method. (BTW WebSphere provide their own WSSubject to 'workaround a design oversight in Java 2 Security').

      Is JBoss's implementation J2EE complient?

      I'd like to avoid the doAs() call in WebSphere too, defaulting the authentication credentials to those supplied in the preceding 'LoginContext.login()'. How is this achieved in JBoss and should this possible in other application servers like WebSphere?

      many thanks,
      Ed

        • 1. Re: JAAS - Programmatic Login

          > Is JBoss's implementation J2EE complient?

          Yes. The J2EE specification does not say how the programmatic login to a J2EE component should be made. This is application server specific.

          -- Juha

          • 2. Re: JAAS - Programmatic Login

            JBoss has the client-login module that attaches
            the subject to the thread.

            JBoss currently does not use JAAS for authorization
            only for authentication, this is planned jboss4.

            Regards,
            Adrian

            • 3. Re: JAAS - Programmatic Login
              danlee

              I am using the latest release JBoss App Server 4.0.5 GA. The JAAS/doAs behavior described in this article is still present in 4.0.5. Is there any new plan to fix this behavior?