Single Sign On iwth JBoss / Tomcat / JAAS / Struts

[yoz]

Hi all,

I just want to clarify something. I am trying to propagate the credentials
from a JAAS logon with jboss. It all works, I get the "login box" and the
LoginModule goes and check the user/password in the database. My problem is
the following: if I sign on on "/client" and I go back to the root of my
website ("/") I loose the the credential but I do get them back when I go
back to "/client".

To put another way the "request.isUserInRole(String)" method returns "true"
when I am under the "/client" branch but false if I am in the "/" branch. I
tried to find out the difference, it looks like the request has an attribute
of type javax.security.auth.Subject named "j_subject" under "/client" but
not under "/". So I tried to hack it, and make sure my request has got the
"j_subject" attribute but it didn't work.

The only solution I have found is to get a Subject through JAAS myself, and
store it in the session. In order to hack the "isUserInRole(String)" method
to look at the session "Subject" I created a request wrapper which
essentially call back the original JBoss/Coyote request and override the
isUserInRole(String) method.

Is that the way to go or is there another way?

Regards

Yoz

 

[yoz]

Don't answer all at the same time, you never know the news server might
crash down.... )

 

[Andy Fish]

I'm not much of a JAAS expert so please excuse me if I'm barking up
completely the wrong tree

I would guess that maybe your browser is not returning the cookie for the
root URL, so Tomcat is not even picking up your existing session. It would
be simple to find out if this is happening because an object you put into
the session under /client would not be accessible as from '/'

Andy

 

[X_AWemner_X]

I just want to clarify something. I am trying to propagate the credentials

from a JAAS logon with jboss. It all works, I get the "login box" and the
LoginModule goes and check the user/password in the database. My problem is
the following: if I sign on on "/client" and I go back to the root of my
website ("/") I loose the the credential but I do get them back when I go
back to "/client".

Dont know about JBoss, but Tomcat has a feature for single signon across
webapp context within JVM. You must enable "single signon valve" in
server.xml file. This applies to Tomcat controlled user login, so dont know
how it interacts with JBoss server.
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
-->

 

[yoz]

As far as I know, the only cookie passed is the session cookie. I think
(well that is my theory looking at the jboss source code) that it keeps the
path / credential internally in a HashMap.

 

[yoz]

I will try to see if you can specify it with jboss.

Cheers

Yoz