Authenticating a user from a servlet

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating a user from a servlet

temp-7
I am very new to servlets and Jetty, so please pardon my ignorance.

I am trying to implement a servlet which is a single point of entry for
a special app that accesses our system. The servlet checks a few things
and if all is fine authenticates a predefined user (created just for
this external app), creates a session and redirects the user to other
pages.

Now, I have most of the stuff working, except for the authentication.
So, my question is how can I programatically authenticate a user
(providing user/pass from the servlet) and associate a session with this
user?

I can see that I could call authenticate() from the UserRealm interface,
but I'm having a problem how to get this object in my HttpServlet
implementation.

I'm using Jetty withing JBoss.

Many thanks for your help!


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating a user from a servlet

Greg Wilkins-5

Unfortunately there is no support in the servlet spec for programatically
authenticating a user.

But if you use form authentication, Jetty does support a dispatch to
j_security_check in order to fudge this.

regards


[hidden email] wrote:

> I am very new to servlets and Jetty, so please pardon my ignorance.
>
> I am trying to implement a servlet which is a single point of entry for
> a special app that accesses our system. The servlet checks a few things
> and if all is fine authenticates a predefined user (created just for
> this external app), creates a session and redirects the user to other
> pages.
>
> Now, I have most of the stuff working, except for the authentication.
> So, my question is how can I programatically authenticate a user
> (providing user/pass from the servlet) and associate a session with this
> user?
>
> I can see that I could call authenticate() from the UserRealm interface,
> but I'm having a problem how to get this object in my HttpServlet
> implementation.
>
> I'm using Jetty withing JBoss.
>
> Many thanks for your help!
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Jetty-support mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-support
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Re: Authenticating a user from a servlet

temp-7
Thanks for pointing me in the right direction.

However, I can't seem to make this work. The request is first handled by
a filter which wraps the request into one with j_username and j_password
added as parameters and "j_security_check" added into the URL. This
modified request is then being processed by the servlet, but when a
jSecurityCheck is performed, Jetty ignores the added parameters. I can
see that Jetty is performing this check based on
org.mortbay.http.HttpRequest which seems to be formed before the changes
are made to the javax.servlet.http.HttpServletRequest wrapper in the
filter. So, even though I'm inserting the security check data, Jetty
ignores it and I'm presented with the login screen.

Is there any way around this?

Many thanks


On Wed, 22 Jun 2005 16:49:19 +0200, "Greg Wilkins" <[hidden email]>
said:

>
> Unfortunately there is no support in the servlet spec for programatically
> authenticating a user.
>
> But if you use form authentication, Jetty does support a dispatch to
> j_security_check in order to fudge this.
>
> regards
>
>
> [hidden email] wrote:
> > I am very new to servlets and Jetty, so please pardon my ignorance.
> >
> > I am trying to implement a servlet which is a single point of entry for
> > a special app that accesses our system. The servlet checks a few things
> > and if all is fine authenticates a predefined user (created just for
> > this external app), creates a session and redirects the user to other
> > pages.
> >
> > Now, I have most of the stuff working, except for the authentication.
> > So, my question is how can I programatically authenticate a user
> > (providing user/pass from the servlet) and associate a session with this
> > user?
> >
> > I can see that I could call authenticate() from the UserRealm interface,
> > but I'm having a problem how to get this object in my HttpServlet
> > implementation.
> >
> > I'm using Jetty withing JBoss.
> >
> > Many thanks for your help!
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > Jetty-support mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/jetty-support
> >
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Jetty-support mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-support


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

RE: Re: Authenticating a user from a servlet

Tony Seebregts
Hi Jacque,

Not sure if this will help, but I had to do much the same kind of thing and
ended up slightly modifying the Jetty JAAS LoginModule to create and
initialise a security Principal with the information I needed.
 
The servlet could retrieve the Principal from the request using:

 System.out.println("USER     : " + request.getRemoteUser());
 System.out.println("PRINCIPAL: " + request.getUserPrincipal());
       
 MyPrincipal principal = (MyPrincipal) request.getUserPrincipal();

With Greg's new patch for Expect-Continue (yay!) you could then return 'not
authenticated' from the servlet - though *really* you should be doing that
in the LoginModule, since that's what its there for.

Regards

Tony
       
       

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of
[hidden email]
Sent: 27 June 2005 15:48
To: [hidden email]
Subject: Re: [Jetty-support] Re: Authenticating a user from a servlet

Thanks for pointing me in the right direction.

However, I can't seem to make this work. The request is first handled by
a filter which wraps the request into one with j_username and j_password
added as parameters and "j_security_check" added into the URL. This
modified request is then being processed by the servlet, but when a
jSecurityCheck is performed, Jetty ignores the added parameters. I can
see that Jetty is performing this check based on
org.mortbay.http.HttpRequest which seems to be formed before the changes
are made to the javax.servlet.http.HttpServletRequest wrapper in the
filter. So, even though I'm inserting the security check data, Jetty
ignores it and I'm presented with the login screen.

Is there any way around this?

Many thanks


On Wed, 22 Jun 2005 16:49:19 +0200, "Greg Wilkins" <[hidden email]>
said:

>
> Unfortunately there is no support in the servlet spec for programatically
> authenticating a user.
>
> But if you use form authentication, Jetty does support a dispatch to
> j_security_check in order to fudge this.
>
> regards
>
>
> [hidden email] wrote:
> > I am very new to servlets and Jetty, so please pardon my ignorance.
> >
> > I am trying to implement a servlet which is a single point of entry for
> > a special app that accesses our system. The servlet checks a few things
> > and if all is fine authenticates a predefined user (created just for
> > this external app), creates a session and redirects the user to other
> > pages.
> >
> > Now, I have most of the stuff working, except for the authentication.
> > So, my question is how can I programatically authenticate a user
> > (providing user/pass from the servlet) and associate a session with this
> > user?
> >
> > I can see that I could call authenticate() from the UserRealm interface,
> > but I'm having a problem how to get this object in my HttpServlet
> > implementation.
> >
> > I'm using Jetty withing JBoss.
> >
> > Many thanks for your help!
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > Jetty-support mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/jetty-support
> >
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Jetty-support mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-support


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Re: Authenticating a user from a servlet

Anthony Cook-2
In reply to this post by temp-7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

Note that 'j_security_check' is not for "programmatic authentication",
but is the specified 'action' by which the FORM method of /declarative
authentication/ is invoked.  Using a filter to intercept the parameters
is superfluous to the container's specified behavior, and is an effort
to mix "programmatic" and "declarative" authentication methods though
these are mutually exclusive.

The first question that must be asked is what exactly do you mean by
"programmatically authenticate a user"?  If you mean against a resource
which Jetty does not natively support, then I suggest a filter is not
what you really want but rather to implement a JAAS login module for
your resource and plug it in to your application's declarative
authentication mechanism.  Jetty's JDBCLoginModule provides an example
of this.

However, from your application description it sounds like what you're
really after is a "user login tracker", rather than a method of
"programmatic authentication".  For that, a filter or listener may be
used but is a topic outside the scope of this forum as it goes to
application design and servlet programming issues.  For these things you
are referred to the developer forums on Sun's Java site.  The following
thread should help you get started:
http://forum.java.sun.com/thread.jspa?forumID=33&threadID=413062

Regards,

Anthony


[hidden email] wrote:
| Thanks for pointing me in the right direction.
|
| However, I can't seem to make this work. The request is first handled by
| a filter which wraps the request into one with j_username and j_password
| added as parameters and "j_security_check" added into the URL. This
| modified request is then being processed by the servlet, but when a
| jSecurityCheck is performed, Jetty ignores the added parameters. I can
| see that Jetty is performing this check based on
| org.mortbay.http.HttpRequest which seems to be formed before the changes
| are made to the javax.servlet.http.HttpServletRequest wrapper in the
| filter. So, even though I'm inserting the security check data, Jetty
| ignores it and I'm presented with the login screen.
|
| Is there any way around this?
|
| Many thanks
|
|
| On Wed, 22 Jun 2005 16:49:19 +0200, "Greg Wilkins" <[hidden email]>
| said:
|
|>Unfortunately there is no support in the servlet spec for programatically
|>authenticating a user.
|>
|>But if you use form authentication, Jetty does support a dispatch to
|>j_security_check in order to fudge this.
|>
|>regards
|>
|>
|>[hidden email] wrote:
|>
|>>I am very new to servlets and Jetty, so please pardon my ignorance.
|>>
|>>I am trying to implement a servlet which is a single point of entry for
|>>a special app that accesses our system. The servlet checks a few things
|>>and if all is fine authenticates a predefined user (created just for
|>>this external app), creates a session and redirects the user to other
|>>pages.
|>>
|>>Now, I have most of the stuff working, except for the authentication.
|>>So, my question is how can I programatically authenticate a user
|>>(providing user/pass from the servlet) and associate a session with this
|>>user?
|>>
|>>I can see that I could call authenticate() from the UserRealm interface,
|>>but I'm having a problem how to get this object in my HttpServlet
|>>implementation.
|>>
|>>I'm using Jetty withing JBoss.
|>>
|>>Many thanks for your help!
|>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCwBhB8KND+nha8AoRAkfIAJ9/GSjhADqq1qQrm1+G9C7E5pG5YACeOrvl
EKlfmJRc5vFYwoObC6PjQP4=
=i8OW
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: Re: Authenticating a user from a servlet

Anthony Cook-2
In reply to this post by Tony Seebregts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Seebregts wrote:
| With Greg's new patch for Expect-Continue (yay!) you could then return
'not
| authenticated' from the servlet - though *really* you should be doing that
|

You could do that before the patch as well (which, incidentally, is not
the issue that patch is supposed to "fix"), though whether the servlet
/could/ do that raises issues with the application's deployment.  If the
servlet should not execute without the user being authenticated but
/does/, then the security constraints in web.xml are not properly defined.

Once the user /is/ properly authenticated then the user Principal is
made available by the container.  After that point, any issues of
"programmatic security" are about /authorization/ (permission to do
something within the application), anyway, and not about
'authentication' (permission to access the application, at all).

| Regards
|
| Tony

Regards,

Anthony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD4DBQFCwBx28KND+nha8AoRAv12AJ90V1zlyXDWXBl6Os8n7fL3ikp1KgCXV9dc
TTVO6O5/QxVI8y40/LyBew==
=67f3
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support