I am using it for hawtio at this moment. Right now I have hawtio
basically working including login, logout and logout from different app.
There are still kinks to address (mainly on client side) and also more
testing on different servers (I am using tomcat for development now).
authentication of server on hawtio is not based on servlet security but
on JAAS. The client is expected to send username/password in
Authorization header with BASIC scheme. Then there is servlet filter on
server-side, which parses Authorization header and delegates
authentication to JAAS where it sends username and password via
What I am doing right now is sending accessToken as password in
Authorization header. I am using:
username: bearer (really hardcoded string atm)
BearerTokenLoginModule is then able to verify accessToken and establish
jaas identity expected by hawtio. Note that login module is used just
for bearer authentication of accessToken and it doesn't need to interact
I can also investigate the approach based on adapters. Basically adapter
will establish servlet security and then hawtio AuthenticationFilter
would need to be replaced in web.xml with some other filter, which will
be able to establish hawtio security context (which is mainly about
saving jaas Subject into http session) based on servlet authentication.
Fact is that JAAS approach seems to be less invasive and I am quite sure
that it will work on all servers, which hawtio supports. I still need to
investigate and test a bit more, everything is in prototype stage...
I am out on Monday (public holidays) but will continue on Tuesday.
On 14.11.2014 14:50, Bill Burke wrote:
What is the purpose of this? We have adapters to do this kind of
A LoginModule doesn't remove the need for an adapter as you still need
to extract and propagate the token in the protocol layer. I've already
been down this road and it is a dead end.