[jboss-dev-forums] [PicketBox Development] - JBoss AS7: Enabling JASPI Authentication for Web Applications

arjan tijms do-not-reply at jboss.com
Thu Jan 31 06:39:20 EST 2013 

arjan tijms [https://community.jboss.org/people/atijms] commented on the document

"JBoss AS7: Enabling JASPI Authentication for Web Applications"

To view all comments on this document, visit: https://community.jboss.org/docs/DOC-17782#comment-11498

--------------------------------------------------
Ron, thank you so much for the response!

Indeed, HttpServletRequest.authenticate works. I tested this using JBoss EAP 6.0.1, WebLogic 12.1.1, and GlassFish 3.1.2.2.

It would help a lot of the next MR to the spec would state this explicitly. Are there already any plans for this MR? And being a MR, will there be some sort of open tracker where one can submit issues?

>  ValidateRequest should not be called under HttpServletRequest.login mostly because login presumes a user name/password authentication mechanism (which may not be compatible with the configured auth context). 
> 

Indeed, but that holds for proprietary login modules as well, doesn't it? The contract on HttpServletRequest.login already mentions something along those lines:

+"This method returns without throwing a ServletException when the login mechanism configured for the ServletContext supports username password validation"+

> I will think about how that might be possible
> 
+
+
Thanks again, it will be interesting to see what the options here are.

If for some reason it really is not possible to handle HttpServletRequest.login with JSR 196, then maybe an exception should be thrown instead if jsr 196 is configured for the app? 

What happens now is that the call silently goes to a completely different login module. If this login module happened to store the username/password that the user is trying to authenticate with, he/she will be totally unexpected and silently authenticated with the wrong login module.
--------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20130131/f1d0699d/attachment.html

More information about the jboss-dev-forums mailing list