[securityfilter-devel] Securityfilter + JBoss
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
[securityfilter-devel] Securityfilter + JBoss
|
From: Sverker A. <sv...@ab...> - 2010-04-25 21:12:31
|
Hello, Ive been using Securityfilter in a project since long time back, now when I was doing some maintenance I thought Id change it to use standard form based login as I never had got Securityfilter to work really well with JBoss. It has been working more or less but never perfect. Anyway, I soon remembered why I had been using Securityfilter as it was impossible to make the standard procedures to work as I wanted. So I went back to have a new look at Securityfilter, my old version was a modified 1.x. After some research I found out that since JBoss 4.2.3 there is a class called WebAuthentication which can be used to programmatically authenticate in the web layer. Ive created a class JBossRealm which can be used to authenticate to JBoss. It make use of WebAuthentication to authenticate to the JBoss security container. There is a bug which is reported in https://jira.jboss.org/jira/browse/JBAS-5549 which cause that the authenticated context is forgotten between each request unless there is a security-constraint in web.xml, as described in jira just add a dummy entry like this: <security-constraint> <web-resource-collection> <web-resource-name>dummy</web-resource-name> <url-pattern>/dummy/*</url-pattern> </web-resource-collection> </security-constraint> There were some small changes needed to other classes as described below: SecurityRequestWrapper getUserPrincipal was changed to be in line with org.apache.catalina.connector.Request. If the Pincipal is an instance of GenericPrincipal then its necessary to call getUserPrincipal on the Principal to get the UserPrincipal. Also added a getPrincipal method which is used internally where the full Principall is needed. FormAuthenticator Use getPrincipal() on SecurityRequestWrapper instead of getUserPrincipal() SecurityFilter Call isUserInRole(String) on the wrapped request instead of directly on the realm In addition I removed all compiler warnings and wildcard imports in all classes. Its also needed to update catalina.jar to version 5.5.10 or newer and add jboss-web-service.jar (I believe it was named jbossweb-service.jar in 4.2.3 then jboss-web-service.jar from 5.0) The patch can be found at http://www.abrahamsson.com/securityfilter.patch Best regards Sverker |
