Hi,
I've playing around with JAAS and Tomcat 5.5 for a little while and got a simple login mechanism working using Tomcat JAASRealm and my own implementation of LoginModule together with protected resources specified in web.xml. I'm now trying a slightly different approach where I have created a servlet that will create a LoginContext and call the login() method of the JAAS module. In my servlet I do something like this:
LoginContext lc = null;
try {
lc = new LoginContext("TomcatTimedLogin", new MyCallBackHandler(user,pass));
lc.login();
}catch(Exception e){}
My question is, does this approach totally bypass Tomcat's container based security mechanism? For example, Once successfully authenticated (login() returns the correct SUbject) I cannot longer access my web pages that are protected (configured in web.xml). Also, calling getRemoteUser() returns null. How can I make sure Tomcat knows when a successfull authentication has been done?
Does this mean that if I want to take this approach I can't make use of protected resources in web.xml?
Thanks
E
I've playing around with JAAS and Tomcat 5.5 for a little while and got a simple login mechanism working using Tomcat JAASRealm and my own implementation of LoginModule together with protected resources specified in web.xml. I'm now trying a slightly different approach where I have created a servlet that will create a LoginContext and call the login() method of the JAAS module. In my servlet I do something like this:
LoginContext lc = null;
try {
lc = new LoginContext("TomcatTimedLogin", new MyCallBackHandler(user,pass));
lc.login();
}catch(Exception e){}
My question is, does this approach totally bypass Tomcat's container based security mechanism? For example, Once successfully authenticated (login() returns the correct SUbject) I cannot longer access my web pages that are protected (configured in web.xml). Also, calling getRemoteUser() returns null. How can I make sure Tomcat knows when a successfull authentication has been done?
Does this mean that if I want to take this approach I can't make use of protected resources in web.xml?
Thanks
E
