> --- "Dawes, Rogan (ZA - Johannesburg)"
> <rdawesdeloitte.co.za> wrote:
> > I have seen the standard Sun handlers
> > TextCallbackHandler and
> > DialogCallbackHandler, but there seems to be a
> > fairly fundamental difference
> > between doing that in a compiled app, and a
> > "disconnected" stateless WEB
> > interface, in that the callback can prompt for the
> > information, and return
> > when it has got it, but it seems to me that in a
> web
> > app it will return
> > without having acquired it, unless it can wait for
> a
> > specific POST back to a
> > servlet somehow.
>
I'll describe where JAAS fits in to the
web app model but please note that some
of this should be automatically handled
by your Servlet container.

Servlet engine (or your MVC servlet controller)
receives a request for a protected resource.

It then checks for the existence of an
"authenticated" token in the HttpSession.

If that token doesn't exist then it forwards
the user to the login page.

The user fills in the form, and the login
servlet receives the username and password
at which point the JAAS Login Module is called
with two callback objects: one that returns
the username and one that returns the password.
 
The JAAS Module checks to see if the credentials
are valid, if not, it throws an authentication
exception.
 
Once control is returned to the Login Servlet,
the Login Servlet would add the authenticated
"Subject" to the HttpSession and if necessary,
an authentication "token".
 
So, JAAS is really only called ONCE, not
for every web request, and it's called
by the "logical" Login Servlet AFTER the
user submits their login information.
 
JAAS is not used to check for whether the
user is authenticated already or not.

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]