<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Web Application Authentication
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/muty">Amir Hadi</a> in <i>Beginner's Corner</i> - <a href="http://community.jboss.org/message/607653#607653">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Hi,</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>first of all I wanted to mention that I am completly new in this community, so don't slap me if this is the wrong category for this kind of question! If this is the wrong category, I would ask the administrators to move this discussion to the right category.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I need to create a demonstration web application, where Users need to authenticate them self in two steps. The best result would be to achive this authentication with JAAS.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The basic two steps are:</p><ol><li>Authenticate with username and password with LDAP:<ol><li>User visits a website / web application but is not authenticated</li><li>User is redirected to a login page and enters his username and password</li><li>User credentials are validated through JAAS with an LDAP LoginModule (this actually works already) --> The user is now "half" authenticated</li><li>The user receives a kind of a token / transaction number on his mobilephone. He needs to enter this token before is fully authenticated</li></ol></li><li>The user can access a special page, where he can enter his token<ol><li>The token (which is generated and stored in the first step) is validated. This can be achived through JDNI access on the directory service</li><li>If the token is valid, the user is fully authenticated</li></ol></li></ol><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>How would you implement that? My first idea is: I'll create a web application with two security constraints in web.xml. One for the complete protected content (url-pattern: /*) with the auth-constraint set to a role like "FullAuthenticated" and second security constraint for the token page (url-pattern: /token.jsp) with auth-constraint set to a role like "HalfAuthenticated". This would allow the user to login with his username and password and (if successfully (half) authenticated) to access the token.jsp page, but not the other protected content of the application. After his token validation, he can access the complete application.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Does that sound naive / stupid / impossible or can this work? Any comments? How can I add a role (in the directory there are no roles defined) to a user in the JAAS LoginModule? How can I tell JBoss to reference the jaas.config file?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Any help is much apprechiated.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/607653#607653">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in Beginner's Corner at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>