geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco Laponder" <>
Subject RE: too many LoginModule requests ?
Date Fri, 05 Sep 2008 13:30:10 GMT
Thanks for you quick response David !

I am using BASIC auth so it is probably what you expect. Is there any
recommendation you could do to prevent it ? Or should I remember it as a
http session variable ? I really don't want to do the complete validate
on each request (especially because I am doing a lot of request with

Kind regards,
Marco Laponder

-----Oorspronkelijk bericht-----
Van: David Jencks [] 
Verzonden: vrijdag 5 september 2008 15:23
Onderwerp: Re: too many LoginModule requests ?

On Sep 5, 2008, at 9:00 AM, Marco Laponder wrote:

> Hi All,
> I have created a custom login module for the user authentication,  
> which
> works ok (I can login as expected). I was surprised by the number of
> calls to the login module. Even if I successfully logged in on a
> previous request, a next request on the same context did again call my
> login module. Is this expected behaviour ? I would like to just login
> once instead on each request. Am I doing something wrong in my custom
> module or is this behaviour as expected ?

BASIC, DIGEST and client cert auth will authenticate on every  
request.  FORM auth ought to only authenticate once and cache the  
result in the session.  If you are using FORM auth, only see the login  
page once, and still see logins for every request..... I'd like to  
know about it and if possible see a stack trace.  (At the moment my  
experimental jetty7-jaspi branch does login on every request, even  
with FORM auth, but I didn't think the published versions did).

david jencks
> Kind regards,
> Marco Laponder
> -----Oorspronkelijk bericht-----
> Van: David Jencks []
> Verzonden: woensdag 3 september 2008 19:07
> Aan:
> Onderwerp: Re: retrieve custom principal from custom loginmodule in
> servlet
> On Sep 3, 2008, at 1:28 AM, Marco Laponder wrote:
>> Hi Everyone,
>> I am trying to build a custom login module where custom principals  
>> are
>> added to the subject. The login works as expected and on the commit I
>> add my specific principal object to the subject.
>> So far so good, but now I need to retrieve this object In my servlet
>> and
>> I was expecting to be able to retrieve it by
>> httpRequest.getUserPrincipal() but the principal returned is not an
>> instance of my custom principal. Can anyone given any tips how to  
>> find
>> out what I am doing incorrect or is this situation not possible at
>> all ?
> You don't say if your login configuration includes any other login
> modules.  Assuming that it does not....
> The specs don't describe how to pick the "UserPrincipal" from the
> possibly numerous principals in a logged-in Subject.  Geronimo uses
> this code snippet:
>         Set<? extends Principal> principals =
> subject.getPrincipals(GeronimoCallerPrincipal.class);
>         if (!principals.isEmpty()) {
>             context.principal = principals.iterator().next();
>         } else if (!(principals =
> subject.getPrincipals(PrimaryRealmPrincipal.class)).isEmpty()) {
>             context.principal = principals.iterator().next();
>         } else if (!(principals =
> subject.getPrincipals(RealmPrincipal.class)).isEmpty()) {
>             context.principal = principals.iterator().next();
>         } else if (!(principals =  
> subject.getPrincipals()).isEmpty()) {
>             context.principal = principals.iterator().next();
>         }
> So, the most reliable way to get your special principal returned as
> the UserPrincipal is to have it implement the marker interface
> GeronimoCallerPrincipal, and assure it is the only principal that
> implements that interface.
> Hope this helps
> david jencks
>> Kind regards,
>> Marco Laponder

View raw message