Hi,I'm building a website using form based authentication integrating with JAAS
for user based authentication. I don't have issue when a successful credential
is authenticated. Rather I'm having difficulty understanding the flow of JAAS
back to the client should the form based authentication failed.
SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS Realm
OBJECTIVE:Custom error captured in JAAS login module to propagate to error page
BASIC UNDERSTANDING:
The Tomcat JAAS layer is not integrated with the web container layer. Hence the
former does not have access to request, session etc.
SOLUTION:
Using ThreadLocal which capture the custom error message in JAAS layer to be
used when the flow reaches back to the custom valve on the way back to the
browser.
PROBELM:Understanding of basic request/response flow involving Tomcat and JAAS
a. request --> valve --> JAAS --> Filter --> Servlet/JSP b. response <--
valve (**) <-- JAAS <-- Filter <-- Servlet/JSP
(refer to above clause b)ThreadLocal in the JAAS layer managed to capture the
custom error message and it i managed to print it after the getNext() method of
the custom valve. Thought of adding this custom error as an attribute in the
session object.
However I noticed that the error page is already displayed before i could add
this cusom error (immediately after the getNext method).
Due to that the ready custom error message cannot be used
SAMPLE CODES:
1. web.xml
<login-config> <auth-method>FORM</auth-method> <form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-redirect-error.jsp?error=true</form-error-page>
</form-login-config> </login-config>
2. Custom valve and defined in META-INF/context.xml
public class SecurityValve extends ValveBase {
public void invoke(Request request, Response response) throws
IOException, ServletException { getNext().invoke(request, response);
system.out.println("after getNext()"); --> break point (BP) }
}
1. Did a break point on SecurityValve (indicated at BP) 2. On forms, i
purposely enter wrong credential and submit 3. Break point stops at BP
4. login-redirect-error.jsp displayed already 5. Since it stop at break
point BP in SecurityValve, the response back to client flow has not reached the
browser. Yet the login-redirect-error.jsp is already displayed
QUESTIONS: How can the login-redirect-error.jsp be displayed on the browser
when the response flowing back to client stop at break point BP? The flow back
to the client is not fully done yet.
I would really appreciate any help.Thanks.
