JAAS in servlet engine

Hi,

I want to use an existing JAAS loginmodule in Tomcat. I don't want to use the built in JAASRealm functionality of Tomcat. In a JSF managed bean (called AuthenticationBean) I create a LoginContext and call it's login method. When the user logs out, the invalidate method of the HttpSession is called to trigger the SessionListener. In the SessionListener the logout method of the LoginContext should be called. Is it good practice to store the LoginContext in the user's session to share this object between the SessionListener and the AuthenticationBean? Shouldn't it be serializable then?

Or is it allowed to create another LoginContext in the SessionListener to call the logout method on? So, is it mandatory to instantiate just one instance of the LoginContext per user authentication?

Kind regards,

Dirk

[846 byte] By [dirkdaemsa] at [2007-11-27 3:52:53]

«« unable to find new resource account on AD
»» Right way of login form...

# 1

Hi,this is very strange ... I found a lot of people posting quite the same question (on this and other forums) but nobody seems to have a good solution.Kind regards,Dirk

dirkdaemsa at 2007-7-12 8:56:54 >

top of Java-index,Security,Other Security APIs, Tools, and Issues...

# 2

Hi,what do you think about storing the LoginContext as a ThreadLocal variable?Kind regards,Dirk

dirkdaemsa at 2007-7-12 8:56:54 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

JAAS in servlet engine

Security New Topic

Security Hot Topic

Security

All Classified