[jboss-user] [Security & JAAS/JBoss] - How to authenticate to the JBoss server without FORM authent

Wed Aug 6 09:47:07 EDT 2008

- JBoss 4.2.3.GA
- Java 5 Update 16

Hello, everybody!

I have a web application already in production that uses FORMs authentication as the way for the user to log in in the application. All the business logic that this web application uses is in a EJB jar file deployed in the same server. So, as it uses FORM authentication all the authentication process is handled for me automatically. This is working ok.

I already have client (Swing) applicatios that connect to the same server and also have to make session bean calls. In order to do so, I had to manually authenticate to the JBoss server in the client application. I used code like this to authenticate the user on the server:

  | import javax.naming.CommunicationException;
  | import javax.security.auth.callback.CallbackHandler;
  | import javax.security.auth.login.LoginContext;
  | import javax.security.auth.login.LoginException;
  | 
  | import org.jboss.security.auth.callback.UsernamePasswordHandler;
  | 
  | //
  | 
  | private LoginContext fLoginContext;
  | 
  | public void connect(String userName, String password) throws Exception
  | {
  |     String configFile = "jaas.config";
  |     System.setProperty("java.security.auth.login.config", configFile);
  | 	
  |     CallbackHandler manager =
  |         new UsernamePasswordHandler(userName, password);
  |     fLoginContext = new LoginContext("login", manager);
  |     fLoginContext.login();
  | 	
  |     testLogin();
  | }
  | 
  | public void disconnect()
  | {
  |     if (fLoginContext == null)
  |     {
  |         throw new UnsupportedOperationException(
  |             "Connection still not established.");
  |     }
  |     try
  |     {
  |         fLoginContext.logout();
  |     }
  |     catch (LoginException ex)
  |     {
  |         MessageDialog.showError(ex.getMessage());
  |     }
  | }
  | 
  | // This method just invokes a function in a real EJB to make the real
  | // authentication
  | private void testLogin() throws Exception
  | {
  |     IReservaManager reserveManager =
  |         FabricaDados.getInstance().getReserveManager();
  |     reserveManager.find();
  | }
  | 

The code above is working ok as well.

Now I'm developing another web application. This new web application, as the other web application, also has to make calls on the session beans of another EJB jar file. But this web application doesn't use FORM authentication, so I think I'll have to provide the authentication manually as I did for the client (Swing) application. This is where my doubt is. Do I have to use something similar to the code that I use in the Swing application to authenticate in the web application or is there another way in JBoss to make the authentication from a web application that doesn't use FORM authentication? I'm really in doubt with this.

So, what's the right idiom (pattern) to authenticate (and disconnect later) to the JBoss server in order to make session bean method calls in a web application that doesn't use FORM authentication?

Thank you very much.

Marcos

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169048#4169048

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169048