[jboss-user] [Security & JAAS/JBoss] - Re: Can I create a login .war module that my other .war modu
vparmar
do-not-reply at jboss.com
Tue Feb 17 16:32:23 EST 2009
We have a solution for Web applications deployed on same JBoss Instance to delegate Authentication to different co-hosted web application.
Essentially For Web Application/Module ABC1, ABC2, , a Servlet Filter checks for Request/Session parameters (for example USER_NAME, etc). If the Servlet Filter does not find a user in request/session, then it forwards the Request to the LOGON_XYZ Web App responsible for Authentication.
The LOGON_XYZ web application authenticates the User by validating the credentials provided by the User.
Once the User is successfully Authenticated, the LOGON_XYZ web application a) Sets the User information in the Request b) forwards the Request to the ABC1 web application. The ABC1 Web app Servlet Filter checks and finds a User in the Request and allows User to continue to the requested page flow.
The Servlet Filter code is somewhat like this
| package somepackage;
|
| import java.io.IOException;
| import javax.servlet.Filter;
| import javax.servlet.FilterChain;
| import javax.servlet.FilterConfig;
| import javax.servlet.RequestDispatcher;
| import javax.servlet.ServletContext;
| import javax.servlet.ServletException;
| import javax.servlet.ServletRequest;
| import javax.servlet.ServletResponse;
| import javax.servlet.http.HttpServletRequest;
| import javax.servlet.http.HttpSession;
|
| /**
| *
| * MyServletFilter intercepts host web applications requests inspects to verify if a User is logged in.
| * If a User is not logged in to the Host web application, the User is forwarded to the LOGON_XYZ Web application for Authentication.
| * @author parmarv
| *
| */
|
| public class MyServletFilter implements Filter {
|
|
| private FilterConfig filterConfig = null;
|
| // This method is called once on server startup
| public void init(FilterConfig filterConfig) {
| this.filterConfig = filterConfig;
| }
| // This method is called once on server shut down
| public void destroy() {
| this.filterConfig = null;
| }
|
| public void doFilter(ServletRequest request, ServletResponse response,
| FilterChain chain) throws IOException, ServletException {
|
| // Check if Attribute for this SessionID is available in the ServletContext.
| boolean invokeLOGON_XYZ = false;
| if (request instanceof HttpServletRequest) {
| HttpSession session = ((HttpServletRequest) request)
| .getSession(true);
| if (session != null && session.isNew()) {
| // Invoke LOGON_XYZ.
| invokeLOGON_XYZ = true;
| } else {
| // Check For User in Session
| if (session.getAttribute("USER_NAME_TOKEN_OR_ID") == null) {
| // User is not logged in since USER_NAME_TOKEN_OR_ID is not available.
| // Invoke LOGON_XYZ
| invokeLOGON_XYZ = true;
| }else{
| // User is logged in since USER_NAME_TOKEN_OR_ID is available.
| // Continue normal operation
| chain.doFilter(request, response);
| }
| if(invokeLOGON_XYZ){
| if (filterConfig != null) {
| String appContextLOGON_XYZ = filterConfig.getInitParameter("LOGON_XYZ_CONTEXT");
| String dispatchPath = "/ABC1_User_home.jsp";
| ServletContext sc = this.filterConfig.getServletContext().getContext("/"+appContextLOGON_XYZ);
| RequestDispatcher rd = sc.getRequestDispatcher(dispatchPath);
| rd.forward(request, response);
| return;
| }
| }
| }
| }
| chain.doFilter(request, response);
| return;
| }
| }
|
|
This solution only works for Web application that DO NOT use JBoss Container Managed Security. This solution is advisable for a work around solution only. I am currently working on a solution for the same for the current issue for my project.
I have posted this solution only to show that it is possible to use a second web app to delegate the authentication logic to.
HTH,
vparmar
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4210866#4210866
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4210866
More information about the jboss-user
mailing list