Hi,I'm building a website using form based authentication integrating with JAAS
for user based authentication. I don't have issue when a successful credential
is authenticated. Rather I'm having difficulty understanding the flow of JAAS
back to the client should the form based authentication failed.SOFTWARE:1.
Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS RealmOBJECTIVE:Custom error
captured in JAAS login module to propagate to error pageBASIC UNDERSTANDING:The
Tomcat JAAS layer is not integrated with the web container layer. Hence the
former does not have access to request, session etc.SOLUTION:Using ThreadLocal
which capture the custom error message in JAAS layer to be used when the flow
reaches back to the custom valve on the way back to the
browser.PROBELM:Understanding of basic request/response flow involving Tomcat
and JAASa. request --> valve --> JAAS --> Filter --> Servlet/JSP b. response
<-- valve (**) <-- JAAS <-- Filter <-- Servlet/JSP(refer to above clause
b)ThreadLocal in the JAAS layer managed to capture the custom error message and
it i managed to print it after the getNext() method of the custom valve.
Thought of adding this custom error as an attribute in the session
object.However I noticed that the error page is already displayed before i
could add this cusom error (immediately after the getNext method).Due to that
the ready custom error message cannot be usedSAMPLE CODES:1. web.xml
<login-config> <auth-method>FORM</auth-method> <form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-redirect-error.jsp?error=true</form-error-page>
</form-login-config> </login-config> 2. Custom valve and defined in
META-INF/context.xml public class SecurityValve extends ValveBase {
public void invoke(Request request, Response response) throws IOException,
ServletException { getNext().invoke(request, response);
system.out.println("after getNext()"); --> break point (BP) } }1. Did a
break point on SecurityValve (indicated at BP) 2. On forms, i purposely
enter wrong credential and submit 3. Break point stops at BP 4.
login-redirect-error.jsp displayed already 5. Since it stop at break point
BP in SecurityValve, the response back to client flow has not reached the
browser. Yet the login-redirect-error.jsp is already displayedQUESTIONS: How
can the login-redirect-error.jsp be displayed on the browser when the response
flowing back to client stop at break point BP? The flow back to the client is
not fully done yet.I would really appreciate any help.Thanks.
