Hi folk,

I am trying to find out whether it is possible to use Java Authentication
and Authorization Services (JAAS) when securing a web application.

From what I have been able to find out, one needs to implement a
callbackhandler to communicate with the user to request authentication
credentials. I have seen the standard Sun handlers TextCallbackHandler and
DialogCallbackHandler, but there seems to be a fairly fundamental difference
between doing that in a compiled app, and a "disconnected" stateless WEB
interface, in that the callback can prompt for the information, and return
when it has got it, but it seems to me that in a web app it will return
without having acquired it, unless it can wait for a specific POST back to a
servlet somehow. (This is leading me to think of playing games with
suspending threads and resuming them once the POST has happened, but that
seems like a recipe for disaster!)

The only other possibility I see is to acquire the credentials prior to
calling the lc.login(), and inserting them into the blank subject created
within the login object. That way JAAS already has sufficient credentials to
perform authentication, and does not need to execute the callback.

My other problem that I ran into was maintaining the LoginContext object
between requests. I understand that the LoginContext is not serializable,
and thus cannot be simply linked to the session.

Has anyone implemented JAAS for authenticating a web application? How did
you do it?

Thanks

Rogan

--
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythealum.mit.edu>
--
Deloitte & Touche Information Security Services
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE:  This e-mail message and its attachments is subject to the 
       disclaimers as published at: 
       http://www.deloitte.co.za/disc.htm#emaildisc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]