Geek Answers Handbook

Automatically logging in to JAAS without displaying the login / form page

I have a java webapp that uses Spring MVC. webapp runs on the AS7.1 jboss server, which uses a JAAS login module with authentication form. Logging in works smoothly when the user fills in his username and password on the form.

Now I would like to create a java controller that "logs in the user" as if the user had filled out the login form.

public void logInProgrammatically(String username, string password) { //??? }

When the above method, any access to any secure page should be allowed, since the user is considered registered.

Can this be programmed by contacting the Jboss implementation of the loginModule module and setting some property?

+6
source share
3 answers

You can use the standard JAAS classes for programmatic authentication. Suppose we use our own implementation of LoginModule (or any standard implementation), com.sample.CustomLoginModule . This registration module is configured in the jboss XML configuration.

Step 1: Define the security domain in JBoss. For other servers, the same information can be configured in the JAAS configuration.

 <security-domain name="customlogin" cache-type="default"> <authentication> <login-module code="com.sample.CustomLoginModule" flag="required"> </login-module> </authentication> </security-domain>

Step 2: use the user login module for logical login.

 public void logInProgrammatically(String username, string password){ CallbackHandler handler = //use proper implementation to capture username and password arguments. LoginContext ctx = new LoginContext("customlogin", handler); ctx.login();

}

With this solution, you are not tied to specific application APIs. This code is ported to any application server with JAAS configuration changes.

For programmatic authentication using JAAS, see the Oracle manual: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

+1
source

I believe this is what you need: User authentication programmatically . It is part of Servlet API 3.0, not the jboss login module.

+1
source

Jboss 's WebAuthentication offers almost the desired functionality. The idea is that you can create your own servlet or user class, for example, presented here , which can directly call with the specified user and a password .

Those. in logInProgrammatically you may have something similar to what was implemented in the LoginHandler presented here :

 public void logInProgrammatically(String username, string password) { // ... WebAuthentication webA = new WebAuthentication(); webA.login(username, password); // ... }
0
source

More articles:


All Articles