2

I have enabled a server authentication module (JSR196) in Glassfish . The module works as expected however i need to determine the presence of the authentication module in a servlet programatically.

Is there any way i could check the presence of the authentication module using java ?

jay
  • 791
  • 8
  • 20

2 Answers2

2

Dexter meyers' approach should work just fine, provided that:

  1. your application uses a single ServerAuthModule (SAM),
  2. no AS-wide -i.e. having been registered with the AuthConfigFactory with null appContext and "HttpServlet" or null layer arguments- AuthConfigProvider has been established,
  3. you do not provide your own AuthConfigProvider, ServerAuthConfig and ServerAuthContext implementations, and
  4. your sole concern is to receive a runtime confirmation that the SAM has been "activated" for your application.

Otherwise, a non-null return from AuthConfigFactory#getConfigProvider(String, String, RegistrationListener) might be misleading, in the sense that it does not necessarily assert that your application uses a SAM, only that an AuthConfigProvider has been put into place at a compatible layer and could serve your application's authentication needs if the rest of the required components (ServerAuthConfig et al.) are registered as well.

If you additionally need to know which SAMs exactly your application has been configured to use, there is, afaik, no standard way to do so, as, first and foremost, ServerAuthContext does not expose its encapsulated SAMs (and its very acquisition via ServerAuthConfig#getAuthContext(String, Subject, Map) is not straightforward anyway, since JASPIC's Servlet Profile leaves authContextIDs arbitrary). Which basically means you will either need to implement your own ServerAuthContext (along with the 2 further indirections) to get that functionality, or alternatively attach an identifier to represent the SAM to the HttpServletRequest or HttpSession, if it suffices for you to know which SAMs got triggered for individual requests. Note that in case you prefer to use the javax.servlet.http.authType MessageInfo callback property to set the value returned by HttpServletRequest#getAuthType() instead, it will only work when authentication succeeds, that is, when your SAM's validateRequest(...) establishes a non-null caller Principal and/or at least a single AS group Principal and returns AuthStatus.SUCCESS; otherwise you will get a null despite having set the callback property.

Community
  • 1
  • 1
Uux
  • 1,218
  • 1
  • 10
  • 21
1

This should be possible by checking for the AuthConfigProvider, which can be done via:

First define helper method:

String getAppContextID(ServletContext context)
 return context.getVirtualServerName() + " " + context.getContextPath();
}

Then call this code when the ServletContext is available, like in a @WebListener:

AuthConfigFactory factory = AuthConfigFactory.getFactory();

String appContextID = getAppContextID(context);

AuthConfigProvider provider = factory.getConfigProvider("HttpServlet", appContextID, null);
dexter meyers
  • 2,798
  • 2
  • 18
  • 22