0

Having this in my web.xml:

<security-constraint>
        <display-name>Amministrazione</display-name>
        <web-resource-collection>
            <web-resource-name>wrcollAdmin</web-resource-name>
            <description/>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.htm</form-login-page>
            <form-error-page>/login.htm</form-error-page>
        </form-login-config>
    </login-config>

allows me to protect a secure area of my webapp.

So I get redirected to /login.htm trying to access /admin/page.htm , for example.

Then I have a JSF2 form with the input fields for username and password. The login button triggers a "login()" method in a controller, like:

public void login() throws IOException {
    FacesContext context = FacesContext.getCurrentInstance();
    ExternalContext externalContext = context.getExternalContext();
    // HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

    logged = false;
    // request.login(username, password);

    if ( users.get(username)!= null && users.get(username).equals(password) ) {
        logged = true;
        externalContext.redirect("/admin/");
    } else {
        context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR,"Failed","Error"));
     }
}

Now this is obviously not working, because I don't know how to tell the Java EE: "Hey! I tell you this user is valid! Just... log him in!"

I suppose the API just supports request.login() but I don't wanna use MemoryRealm, JDBCRealm and so on... I determine other ways the user validity!

If there's not a way to programmatically log in a user, what is the best workaround? Maybe creating a realm with a single username+password couple and using always them for request.login()?

Mike Braun
  • 3,729
  • 17
  • 15
Fabio B.
  • 9,138
  • 25
  • 105
  • 177
  • What is your question? If it's UI related (form based authentication with JSF), see this answer: [Best way for user authentication on JavaEE 6 using JSF 2.0](http://stackoverflow.com/a/2207147/2390083). If you are not happy with login-config, you can try to implement your own using a `javax.servlet.Filter`. But as authentication is sensitive, I would always recommend to use the standard, and a custom JBoss login module to implement any scheme you like is not that hard. AFAIK there is no way to use the login-config part and then just say "consider this user to be logged in". – Beryllium Aug 25 '13 at 14:46

1 Answers1

0

You can use a JASPIC authentication module for this. Such a module can be part of your application and you can move all application specific logic for validating the user there.

Or... You can create a special authentication module that just logs in whatever user you pass to it. From within such module there is indeed a method to say: "just log this user in". (It's the CallerPrincipalCallback)

Mike Braun
  • 3,729
  • 17
  • 15