[jetty-discuss] two JAAS questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I am attempting to use the JAAS implementation provided with JettyPlus. 
  Since this is my first attempt to use JAAS at all, my confusion is 
probably just a result of inexperience with this technology.  So, 
apologies in advance for my ignorance.

I have successfully followed the instructions at 
http://jetty.mortbay.org/jetty/plus/index.html, and have integrated the 
example code with my own app, so that when I first start up the app and 
go to it in the browser, I am sent to the login form, and can be logged 
in or denied depending on whether I enter a valid username/password combo.

But then the trouble starts.  First of all, it seems that after I have 
logged in once, even if I shut down the app and restart it, I am 
considered to be still "logged in".  Unless I restart the browser, when 
I go to the app URL again, I am not prompted to log in.

Maybe this is *not* a problem -- after all, if my app crashes and is 
automatically restarted, I don't want everyone to have to log in again.

But this is connected with my second question.  I first wanted to check 
information about the logged-in user with 
HttpServletRequest.getRemoteUser() or .getUserPrincipal().getName(). 
When I do a first startup, first browser open, then these methods return 
the username of the logged-in user.  However, after an app restart 
without browser restart, they return null values.

So, I read around, and got the hint that these methods of 
HttpServletRequest should not be used -- that there are security 
problems with this approach.  I am told that I should use the Subject, 
which, in many JAAS implementations, is stored in the HttpSession.

As far as I can see, though, the JettyPlus JAAS implementation does not 
put the Subject in the HttpSession.  I tried to see where I could do 
this if I wanted to, and the most likely place I could find was 
JAASUserRealm, but I can't see how I would get access to the session 
from there.  Since the authenticate() method is getting a HttpRequest 
(not HttpServletRequest) as a parameter, it doesn't have any access to 
the session.

I see that, in Jetty's *Authenticator classes, the username and 
Principal are being stored in the HttpRequest.  But I don't know how I 
can "legitimately" get at the HttpRequest from inside my servlet.  (I am 
still confused about the relationship between Jetty's HttpRequest and 
the Servlet API's HttpServletRequest.)

So I am really at a loss.  Is this a "left as an exercise to the reader" 
issue that I need to handle by implementing something using the provided 
JAAS code as a starting point?  Or is there already a way for me to get 
at information about the logged-in user using the JettyPlus JAAS 
implementation?  Would I be better off finding another JAAS implementation?

Thanks in advance for all hints and advice.

Noel