authenticating against the container

Mon, 19 Mar 2001 06:43:24 -0800 

I have an application which uses form based authentication to secure
portions of the site (servlets).  I am trying to programmatically avoid
the form based login and do it in a custom way inside my servlet.  (for
example: after a new user registers on the site, he should have access
to the secure content without explicitly logging in).

I am using sample code for the J2ee pet store, running a tomcat server
(inside the J2EE Reference Implementation).  The login routine I am
using is below (it is publicly available on the web).  It hits our
default realm to lookup the username/password pair for authentication:

     /* This code is specific to the J2ee reference implementation.  */
    public void loginUser(String userName, String password, HttpSession
session) {
        System.out.println("Logging in user " + userName + " to web
server");
        // log in the user
        try {
            LoginContext lc = new LoginContext();
            lc.login(userName, password);
        } catch(LoginException le) {
            le.printStackTrace();
            AuthenticationStatus as = le.getStatus();
        }

        if(session != null) {
            session.setAttribute(SECURITY_CONTEXT,
             com.sun.enterprise.security.SecurityContext.getCurrent());
        }
    }


so far, this authenticates against the browser (in the sense that it
keeps the username in subsequent 'getRemoteUser()' calls)  but the
container redirects to the Login page whenever secured content is
accessed, even after the Servlet logs the user in.

While I am currently looking for a solution in my environment, a good
general answer would be much appreciated...  as I do not fully
understand the relationship between the servlet and container with
respect to this type of authentication.  What flag needs to be set so
the container knows that authentication has occurred?

we currently use a SecurityAdapter interface, and have an implementation for
the J2ee environment and will implement new versions for other servers.  is
this the best approach for portablility?


much thanks,
Anthony

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to