geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: How to use JACC with JAAS in Geronimo
Date Tue, 08 Jul 2008 16:06:11 GMT

On Jul 8, 2008, at 4:20 AM, rbaumhof wrote:

> Hello,
> i have problems to notify the ejb container about my authentication.  
> Beacuse
> of some special application requirements i can not use the standard  
> servlet
> authentication with j_security_check.

It's not really relevant, but I'd like to know why you can't use  
normal form authentication.

> Therfore i perform login by myself
> using jaas with a geronimo sql security realm. This works fine.  
> However
> after the login SessionContext.getCallerPrincipal().getName() returns
> "Unauthenticated".

If your app does the authentication rather than relying on a built-in  
authentication method you will need to hook into the geronimo security  
mechanism the same way the built-in authentication methods do.  The  
best way to do this would be by writing your own jaspi  
ServerAuthModule, but jaspi support is not implemented yet (I'm  
working on it in trunk).

Assuming that your authentication system will be storing the Subject  
from the security realm login in the http session, you need a filter  
that does something like this:

Subject subject = getSubjectFromSession(request);

This will not enable any container managed web security since by the  
time you get to a filter the security checks will already have been  
performed, but you should be able to use this with container managed  
ejb security. Note also that run-as roles in servlets won't work in  
any servlet that this filter applies to.

Assuming this works (I've never tried it) we should consider supplying  
this filter with geronimo, perhaps as a plugin.

> The try to use
> (hint  
> of
> David Jencks, see
> returns null. Because i use my own filter servlet to watch the web  
> sites, i
> don't use any declarative role mapping in web.xml. I had to remove  
> this
> because tomcat was not notified about the login.
> My question is "what do i have to do to make
> SessionContext.getCallerPrincipal().getName() work. It should not  
> return
> "Unauthenticated".

Unless you use container managed authentication, it actually should  
return "unauthenticated".  However by hooking into the container  
managed security system as suggested above you may be able to do what  
you want.

Please let us know if this works.

david jencks

> much thanks in advance
> -- 
> View this message in context:
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message