Using the Webauthentication does only have to be used from the interceptor instead of my own LoginFacade as I have seen. First of all is this correct? So I hope I've moved to WebAuthetication in the correct way. I have seen a example how to implement a struts 1 filter. I have used the code to implement my struts 2 interceptor. And this is the current error: | 15:05:30,318 DEBUG [RealmBase] Username extern.michael.obster does NOT have role AdminUser | The login principal in the LoginModule gives me a mapping "extern.michael.obster" to "AdminUser", so this is in some way a discrepance, which I suppose that s.th. of the security context is lost (therefor I wanted to have "deeper" debugging, but I don't see a way how to do it because I cannot get a better acces into the JBossWebRealm.java). This is my new JaasLoginInterceptor: | /** | * | */ | package vwg.audi.cancard.ui.interceptor; | | import javax.servlet.ServletException; | import javax.servlet.http.HttpServletRequest; | | import org.apache.log4j.Logger; | import org.apache.struts2.ServletActionContext; | import org.jboss.web.tomcat.security.login.WebAuthentication; | | import vwg.audi.cancard.business.LoginFacade; | import vwg.audi.cancard.ui.JAASConstants; | | import com.opensymphony.xwork2.Action; | import com.opensymphony.xwork2.ActionInvocation; | import com.opensymphony.xwork2.interceptor.Interceptor; | | /** | * JAASLoginFilter | * | * @author Michael Obster | */ | public class JAASLoginInterceptor implements Interceptor { | | private static final long serialVersionUID = -1983088770872827621L; | | private Logger log = Logger.getLogger(this.getClass()); | | String loginDomain = ""; | String clientLoginDomain = ""; | | LoginFacade loginFacade; | | @Override | public void init() { | | } | | @Override | public String intercept(ActionInvocation actionInvocation) throws Exception { | HttpServletRequest request = ServletActionContext.getRequest(); | | String servletPath = request.getServletPath(); | String pathInfo = request.getPathInfo(); | String path = (servletPath == null ? "" : servletPath) | + (pathInfo == null ? "" : pathInfo); | if (log.isDebugEnabled()) { | log.debug("Login INTERCEPT"); | } | | if (!JAASConstants.USER_IS_VALID.equals(request | .getSession().getAttribute( | JAASConstants.USER_VALIDITY))) { | log.info("requested path: " + path); | return Action.LOGIN; | } | | //Get the user name and password based on some attributes from your FORM post | String username = (String) request.getSession().getAttribute(JAASConstants.USERNAME); //username can be any attribute | String pass = (String) request.getSession().getAttribute(JAASConstants.PASSWORD); //pass can be any attribute | | if(username == null || pass == null) { | throw new RuntimeException("username or password is null"); | } | WebAuthentication pwl = new WebAuthentication(); | pwl.login(username, pass); | | if (log.isDebugEnabled()) { | //Only when there is web login, does the principal be visible | log.debug("User Principal="+request.getUserPrincipal()); | //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser" | log.debug("isUserInRole(Authorized User)="+request.isUserInRole("AdminUser")); | } | | if(request.getUserPrincipal() == null || !request.isUserInRole("AdminUser")) { | throw new ServletException("User is not authenticated or the isUserInRole check failed"); | } | | //Log the user out | pwl.logout(); | | if(request.getUserPrincipal() != null || request.isUserInRole("AdminUser")) { | throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)"); | } | | return actionInvocation.invoke(); | } | | @Override | public void destroy() { | // loginFacade.logout(); | } | | } | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4258664#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...