How to authenticate under JBoss/JAAS from a public web app page?

[davout]

I'm deploying a web app under JBoss with the usual '<security-constraint>'
based links to a JAAS login module.

However, my web app includes some web pages that are public (i.e. not
protected and open to public access) and not covered by the security
constraints.

On the main public page I want to include the usual login related controls
( user ID, password and submit button) to allow for quick login.

But how and what do I call to authenticate from this public area?

 

[Heiko W. Rupp]

But how and what do I call to authenticate from this public area?

You need a form like this:
<form method="POST" action="j_security_check">
Login: <input type="text" name="j_username"><br/>
Passwort: <input type="password" name="j_password"><br/>
<input type="submit" value="Login"/>
</form>

In jboss-web.xml you need to set the security-domain for JAAS as well:

<jboss-web>
<security-domain>java:/jaas/adb</security-domain>
</jboss-web>

In this example "adb" is a domain that has been declared in
$JBServer/conf/login-config.xml

 

[davout]

Thanks...

Where does the 'j_security_check' servlet redirect to after it has finished?

 

[kjc]

Thanks...

Where does the 'j_security_check' servlet redirect to after it has finished?

You need a form like this:
<form method="POST" action="j_security_check">
Login: <input type="text" name="j_username"><br/>
Passwort: <input type="password" name="j_password"><br/>
<input type="submit" value="Login"/>
</form>

In jboss-web.xml you need to set the security-domain for JAAS as well:

<jboss-web>
<security-domain>java:/jaas/adb</security-domain>
</jboss-web>

In this example "adb" is a domain that has been declared in
$JBServer/conf/login-config.xml

You need to set which pages are to be secured in your
web.xml file.

When a user hits one of these pages, he/she will be dircted to your
defined login page.
If the login is successful, the user is redirected to the desired page.

 

[davout]

That doesn't answer my question. Here's the situation...
* The user is on a public (unprotected) page that includes login controls
* According to a previous reponse on this thread the form action on the
login form should point at 'j_security_check'
* Hence, when the user enters their ID and password and clicks 'submit' the
'j_security_check' servlet is called.

So my question is where does the user reqest get re-directed to after
'j_security_check' servlet has finished?

 

[Manfred Rosenboom]

That doesn't answer my question. Here's the situation...
* The user is on a public (unprotected) page that includes login controls
* According to a previous reponse on this thread the form action on the
login form should point at 'j_security_check'
* Hence, when the user enters their ID and password and clicks 'submit' the
'j_security_check' servlet is called.

So my question is where does the user reqest get re-directed to after
'j_security_check' servlet has finished?

You have to lean more about FORM based authentication in a
web container: in the web.xml file you can configure
form based authentication and the page to use, whenever
authentication is needed. How th write such a page was already
answered. Next you have to describe, which pages (URLs) in your
web application are protected. When you access such an URL for
the first time (i.e. no user authentication was done before in
the actual session), the web container will show your login
page and after checking the entered data will forward to the
desired URL.

Best,
Manfred

 

[davout]

Maybe I'm not being clear....

The question relates to an open unprotected page which does not require
authorized access - like the top level public page of most web sites. On
these front pages you often find a quick login facility, where a user may
enter their user ID and password. Note, this is NOT a separate login page,
the login controls are part of the top level open front page.

Hence, the difference is that I'm not trying to reach a protected page where
the container protection will intercept and force a redirect to a login
page. Instead I'm on a public (unprotected page) which includes a set of
login inputs and a login submit button.

Thus, from the earlier response the login submit from this public page will
call the 'j_security_check' servlet, but what happens after this servlet
completes its authentication check?

 

[Manfred Rosenboom]

Maybe I'm not being clear....

The question relates to an open unprotected page which does not require
authorized access - like the top level public page of most web sites. On
these front pages you often find a quick login facility, where a user may
enter their user ID and password. Note, this is NOT a separate login page,
the login controls are part of the top level open front page.

Hence, the difference is that I'm not trying to reach a protected page where
the container protection will intercept and force a redirect to a login
page. Instead I'm on a public (unprotected page) which includes a set of
login inputs and a login submit button.

Thus, from the earlier response the login submit from this public page will
call the 'j_security_check' servlet, but what happens after this servlet
completes its authentication check?

This is a complete different case (neither BASE nor FORM authorization
but customer specified authorization). The j_security_check related
stuff works only for FORM based authorization. In your case you have to
code your own authorization. You can save the information (anonymous or
authorized user) in the related session.

Best,
Manfred

 

[josesuero]

did you ever solve this? i'm facing the same problem and have yet to find an answer