From: Noel B. <no...@x-...> - 2005-07-06 14:40:54
|
I am attempting to use the JAAS implementation provided with JettyPlus. Since this is my first attempt to use JAAS at all, my confusion is probably just a result of inexperience with this technology. So, apologies in advance for my ignorance. I have successfully followed the instructions at http://jetty.mortbay.org/jetty/plus/index.html, and have integrated the example code with my own app, so that when I first start up the app and go to it in the browser, I am sent to the login form, and can be logged in or denied depending on whether I enter a valid username/password combo. But then the trouble starts. First of all, it seems that after I have logged in once, even if I shut down the app and restart it, I am considered to be still "logged in". Unless I restart the browser, when I go to the app URL again, I am not prompted to log in. Maybe this is *not* a problem -- after all, if my app crashes and is automatically restarted, I don't want everyone to have to log in again. But this is connected with my second question. I first wanted to check information about the logged-in user with HttpServletRequest.getRemoteUser() or .getUserPrincipal().getName(). When I do a first startup, first browser open, then these methods return the username of the logged-in user. However, after an app restart without browser restart, they return null values. So, I read around, and got the hint that these methods of HttpServletRequest should not be used -- that there are security problems with this approach. I am told that I should use the Subject, which, in many JAAS implementations, is stored in the HttpSession. As far as I can see, though, the JettyPlus JAAS implementation does not put the Subject in the HttpSession. I tried to see where I could do this if I wanted to, and the most likely place I could find was JAASUserRealm, but I can't see how I would get access to the session from there. Since the authenticate() method is getting a HttpRequest (not HttpServletRequest) as a parameter, it doesn't have any access to the session. I see that, in Jetty's *Authenticator classes, the username and Principal are being stored in the HttpRequest. But I don't know how I can "legitimately" get at the HttpRequest from inside my servlet. (I am still confused about the relationship between Jetty's HttpRequest and the Servlet API's HttpServletRequest.) So I am really at a loss. Is this a "left as an exercise to the reader" issue that I need to handle by implementing something using the provided JAAS code as a starting point? Or is there already a way for me to get at information about the logged-in user using the JettyPlus JAAS implementation? Would I be better off finding another JAAS implementation? Thanks in advance for all hints and advice. Noel |