I'm unable to find out a way to do programmatic authentication to the web container in JBoss. I see such facility is availaible in WebLogic using ServletAuthentication. and in Sun's AS81 using ProgrammaticLogin classes. These will authenticates the user, logs in the user, and associates the user with the current session so that the user is registered in the default (active) security realm. Once the login is completed, it appears as if the user logged in using the standard mechanism.
Is there any such option available in JBoss or a way to do it?
Use the JaasSecurityManager from JNDI/MBeanServer.
I'm able to do JAAS Login programmatically and seeing correct values for getCallerPrincipal() and isCallerInRole() in EJBs. But in the web tier, getUserPrincipal() returning Null and isUserInRole() returning false. How to let web container know that the user is already authenticated (programmatically)?
Could you post more details on solving the first part of the question? I have reviewed the documentation many times, and I am comfortable in dealing with MBeans, but I don't see how to get a handle to the Realm involved which I think is what is needed.
I know a filter would also work but that really seems like overkill.
I am seriously tempted to just copy the relevant code from here:
but that seems like a pretty ugly hack.
I would be very, very grateful for any suggestions.
After a lot of time spent on this, the issue seems to be Tomcat (or arguably the Servlet specification) more than JBoss. A variant on the JassLoginFilter in the How-To works fine for accessing JBoss resources. Also as mentioned in the FAQ, #21. But there seems to be no straightforward way to log in to the Tomcat container programmatically, it is necessary to use web.xml and j_security_check etc. From what I can see online I'm not alone in my desire to find another way.
It is very nice that WebLogic and Sun provide convenience classes for this purpose. I can see though that doing this is arguably outside the scope of the application server.
At this point, I'm just going to use EJB/POJO security as provided by JBoss, and ignore things like Struts role-based security. Maybe the servlet spec will have this someday. :-)
I'm also running into a lot of problems trying to push my authenticated principal up into the web container (tomcat). I'm using JBoss+JSF+SEAM with ICEfaces and MyFaces as an application stack. Since we are using facelets posting to 'j_security_check' isn't trival because of how JSF works.
I can easily use JAAS to authenticate the EJB/POJO layers, but the web tier is proving resilient to my attempts to install the authenticated subject. I've read the thread, docs, and FAQ and like evsrao and eschulma I cannot find a workable solution.
There has to be a way to push the authenticated Subject into the Tomcat server session but I can't find it.
Unfortunately...I don't think there "has" to be a way, that is the problem. The servlet spec does not require it.
If you use one of Tomcat's authentication methods -- basic, form, etc. -- the credentials carry through very nicely and it is all wonderful. JBoss provides a way from Tomcat -> EJB layer but not vice-versa.
I am using AOP security and after the complexity of getting that running right, I'm very pleased. I think this will do everything needed, one can protect any function with it. You will need a JaasLoginFilter or equivalent for the web layer, plus stuffing username/password into session.
If you absolutely must do it with Tomcat, realize it's a Tomcat issue -- a custom Valve or Realm might work. But I think that would be extremely fragile with respect to upgrades.
This feature will be available in 4.2.0.GA
I was thinking about ways to adequately test this. For now, after the web authentication in a servlet, I check for two things:
request.getUserPrincipal != null
request.isUserInRole(role) == true
Any thoughts on how this can be tested further? (No JSF, struts etc ideas please).