geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: too many LoginModule requests ?
Date Fri, 05 Sep 2008 19:03:45 GMT

On Sep 5, 2008, at 9:30 AM, Marco Laponder wrote:

> Thanks for you quick response David !
>
> I am using BASIC auth so it is probably what you expect. Is there any
> recommendation you could do to prevent it ? Or should I remember it  
> as a
> http session variable ? I really don't want to do the complete  
> validate
> on each request (especially because I am doing a lot of request with
> AJAX)

BASIC really requires authentication on every request.  I think you  
might be able to write a "caching login module" that wraps your  
existing login module and puts the principals (and credentials if any)  
from your existing login module into a cache and if they exist and  
haven't expired puts them into the Subject supplied for each login.   
Hope this makes some sense :-)

thanks
david jencks

>
>
> Kind regards,
> Marco Laponder
>
> -----Oorspronkelijk bericht-----
> Van: David Jencks [mailto:david_jencks@yahoo.com]
> Verzonden: vrijdag 5 september 2008 15:23
> Aan: user@geronimo.apache.org
> Onderwerp: Re: too many LoginModule requests ?
>
>
> On Sep 5, 2008, at 9:00 AM, Marco Laponder wrote:
>
>> Hi All,
>>
>> I have created a custom login module for the user authentication,
>> which
>> works ok (I can login as expected). I was surprised by the number of
>> calls to the login module. Even if I successfully logged in on a
>> previous request, a next request on the same context did again call  
>> my
>> login module. Is this expected behaviour ? I would like to just login
>> once instead on each request. Am I doing something wrong in my custom
>> module or is this behaviour as expected ?
>
> BASIC, DIGEST and client cert auth will authenticate on every
> request.  FORM auth ought to only authenticate once and cache the
> result in the session.  If you are using FORM auth, only see the login
> page once, and still see logins for every request..... I'd like to
> know about it and if possible see a stack trace.  (At the moment my
> experimental jetty7-jaspi branch does login on every request, even
> with FORM auth, but I didn't think the published versions did).
>
> thanks
> david jencks
>>
>>
>> Kind regards,
>> Marco Laponder
>>
>> -----Oorspronkelijk bericht-----
>> Van: David Jencks [mailto:david_jencks@yahoo.com]
>> Verzonden: woensdag 3 september 2008 19:07
>> Aan: user@geronimo.apache.org
>> Onderwerp: Re: retrieve custom principal from custom loginmodule in
>> servlet
>>
>>
>> On Sep 3, 2008, at 1:28 AM, Marco Laponder wrote:
>>
>>> Hi Everyone,
>>>
>>> I am trying to build a custom login module where custom principals
>>> are
>>> added to the subject. The login works as expected and on the  
>>> commit I
>>> add my specific principal object to the subject.
>>>
>>> So far so good, but now I need to retrieve this object In my servlet
>>> and
>>> I was expecting to be able to retrieve it by
>>> httpRequest.getUserPrincipal() but the principal returned is not an
>>> instance of my custom principal. Can anyone given any tips how to
>>> find
>>> out what I am doing incorrect or is this situation not possible at
>>> all ?
>>
>> You don't say if your login configuration includes any other login
>> modules.  Assuming that it does not....
>>
>> The specs don't describe how to pick the "UserPrincipal" from the
>> possibly numerous principals in a logged-in Subject.  Geronimo uses
>> this code snippet:
>>
>>        Set<? extends Principal> principals =
>> subject.getPrincipals(GeronimoCallerPrincipal.class);
>>        if (!principals.isEmpty()) {
>>            context.principal = principals.iterator().next();
>>        } else if (!(principals =
>> subject.getPrincipals(PrimaryRealmPrincipal.class)).isEmpty()) {
>>            context.principal = principals.iterator().next();
>>        } else if (!(principals =
>> subject.getPrincipals(RealmPrincipal.class)).isEmpty()) {
>>            context.principal = principals.iterator().next();
>>        } else if (!(principals =
>> subject.getPrincipals()).isEmpty()) {
>>            context.principal = principals.iterator().next();
>>        }
>>
>> So, the most reliable way to get your special principal returned as
>> the UserPrincipal is to have it implement the marker interface
>> GeronimoCallerPrincipal, and assure it is the only principal that
>> implements that interface.
>>
>> Hope this helps
>> david jencks
>>
>>>
>>>
>>>
>>> Kind regards,
>>> Marco Laponder
>>>
>>
>


Mime
View raw message