In your case the client of JBoss is a multi-threaded server where the identity of a
client
can change with each servlet request. I have added a configuration option to the
ClientLoginModule that allows you to put it in the mode where it uses thread local
storage for the principal and credentials that are established during a login.
Configure the module with the multi-threaded option set to true as here:
other {
// Put your login modules that work without jBoss here
// jBoss LoginModule
org.jboss.security.ClientLoginModule required multi-threaded=true;
// Put your login modules that need jBoss here
};
and then in your servlet request handler you need to establish the client identity:
protected void doRequest(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException
{
String username = ...; // Obtain username & password from request properties
char[] password = ...;
LoginContext lc = null;
try
{
lc = new LoginContext("other", new CallbackHandler()
{
public void handle(Callback[] callbacks) throws
IOException, ServletException
{
for(int i = 0; i < callbacks.length; i++)
{
if (callbacks[i] instanceof NameCallback)
{
NameCallback n = (NameCallback) callbacks[i];
n.setName(username);
}
else if(callbacks[i] instanceof PasswordCallback)
{
PasswordCallback p = (PasswordCallback) callbacks[i];
p.setPassword(password);
}
else
{
throw new ServletException("Unrecognized Callback:
"+callbacks[i]);
}
}
}
}
);
lc.login();
// Work as username...
}
catch(LoginException e)
{
throw new ServletException(e.getMessage());
}
finally
{
if( lc != null )
lc.logout();
}
}
You could also just use the SecurityAssociation class directly:
import org.jboss.security.SecurityAssociation;
public void init(ServletConfig config) throws ServletException
{ // Use thread local storage for username,password
SecurityAssociation.setServer();
}
protected void doRequest(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException
{
String username = ...; // Obtain username & password from request properties
char[] password = ...;
try
{
SecurityAssociation.setPrincipal(new SimplePrincipal(username));
SecurityAssociation.setCredential(password);
// Work as username...
}
finally
{
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
}
}
It is simpler, but it is also more likely to break in a future release of JBoss as your
now dealing directly with implementation details rather than using a standard api.
----- Original Message -----
From: "Ferguson, Doug" <[EMAIL PROTECTED]>
To: "'Oleg Nitz'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 23, 2001 1:34 PM
Subject: RE: [jBoss-User] jaas
> Heres what I'm trying to do:
>
> I would like to have a servlet/jsp with a form.
> This form will allow users to authenticate.
> There will be a macro role of client.
> Then there will be sub roles underneath each client.
> It is extremely important that if one client logins in as
> superuser that a test user at another client doesn't
> obtain full access to the other client's data or the myriad of other
> security
> violations that seem possible due to these static
> variables. So I was thinking that maybe you could rewrite
> the module on the client side so that it didn't use
> static variables.
>
> Before I delved very deep into JAAS I was thinking that
> we would be able to cache login in the middle tier.
> Say in a stateful sessino bean. The web layer could cache
> the handle to the bean in a session cookie or similar.
> Then Whenever the servlet/jsp could obtain login info from
> the bean and fire off a loginContext.login(). Now that I've
> found that the user/password hangs around with the VM. I
> am not sure what I could do. I've seen some posts concerning
> 1) SecurityAssociation.setServer()
> 2) create different LoginContexts SEQUENTIALLY or just call
> SecurityAssociation.setPrincipal and SecurityAssociation.setCredential
>
> But I can't find code examples nor did the posts mention how exactly
> to implement such a work around or the outcome of such a work around.
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
