JAAS. How to set remote user in the session?
I have a working J2EE application (A), which uses internal authentication and authorization without JAAS as well as a custom engine library.
I need to replace the old engine with a new one.
The new application (B) should use JAAS. But the old application should be rebuilt step-by-step.
So, application will temporary be based on 2 engines at the same time.
All new application pages are protected with <security-constraint/> in the web.xml.
Functionally application logic has been separated successfully. An authentication problem is left.
Applciation A has login screen with inputs for username and password.
Question 1: How can I authenticate in application part B(login module) automatically after a user
passed authenication in application part A (custom authentication)?
I wrote LoginModule which keeps authentication logic.
It works when i send request to j_security_check?j_username=username&j_password=passwd
and then i can get remote user name from the session using request.getRemoteUser() method.
Question 2: How can I set remote user in session, without sending j_security_check request?
I created LoginContext and custom MyCallbackhandler and did login() in application part A authentication function.
LoginContext lc =new LoginContext("MyLoginModule",new MyCallbackHandler());
lc.login();
log.debug( lc.getSubject() );
log.debug( req.getRemoteUser() );
LoginModule login() and commit() work properly. It creates correct Subject, but RemoteUser is null and all pages are redirected to the login page.
Question 3: How can I set subject in the session to let login module to know about it?
Application should work under JBoss4.0, SAS7/SAS8.
