[Exist-development] jaas role

[Alister P. <gsp...@gm...>]

Hi,

I’m trying to use the JAASLoginService to handle Authentication for RestXQ. I have a partial solution which used the default web.xml configuration of login-config but would like to make it work correctly using a security-constraint.
(web.xml)
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                Pekoe Job Manager
            </web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                Let only registered users use this app
            </description>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>user</role-name>
    </security-role>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>JAASLoginService</realm-name>
        <form-login-config>
            <form-login-page>/login</form-login-page>
            <form-error-page>/login</form-error-page>
        </form-login-config>
    </login-config>

This has the desired effect - except for the ROLE...
GET /exist/restxq/pekoe/user/1 -> 302 Location http://localhost:8080/exist/login
POST /exist/j_security_check (with j_username and j_password) -> 302 Location: http://localhost:8080/exist/restxq/pekoe/user/1
GET /exist/restxq/pekoe/user/1 -> 403 !role

I don’t know whether there are any roles set up - can’t find a @DeclareRole annotation or anything similar. 
Closest I can get to it is Dmitriy’s HttpAccount class which uses the JAASUserPrincipal. According to these docs:
https://wiki.eclipse.org/Jetty/Tutorial/JAAS#Fine_Tuning_the_JAASLoginService
a temporary role could be assigned here.

Are there roles defined anywhere? 

I think this could be a very tidy way of handling Authentication for RESTXQ apps. My partial solution (which doesn’t use a security-constraint) has the RestXQ function sending a 401 and the client then POSTs directly to j_security_check. The resulting Cookie contains the JSESSIONID for an authenticated user. This is all happening with eXist behind Nginx using SSL.

Thanks,
Alister.