I have an interesting project requirement where we must accept a token as a GET paramenter that will authenticate a user coming into an application. This is to allow trusted third parties to seamlessly send a user over to our site without having to make them log in again.
An example might be:
http://www.myproj.com/appName/index.jsf?user_token=asdf123randomstuffaf12fsaasdf
appName would be the context root, and user_token would be a token that could be checked. The token will be used once, then thrown away, and they expire a few seconds after generation. The token part is not really what i’m hung up on, it’s the integration with JAAS.
In Spring Security, I can setup a filter that would intercept the request, pull the token out of the URL, and authenticate the user against a UserDetailsService. Sadly, Spring Security is not available on this project for a myriad of issues, so we are going to need to use JAAS authentication.
I’m not asking for code, but I could use a little basic direction on what modules would need to be written so I can continue my research. Thanks everyone,
JAAS isn’t really suitable for web application. It is more for desktop applications which support interactive inputs and accessing local resources managed by the JVM such as files, network sockets.
But if you really want to go down the JAAS road, prepare to write your custom LoginModule and probably a CallbackHandler and Principal. Most important class is the LoginModule. You might be able to reuse some existing Principal class.
The CallbackHandler would pull the token out of the URL. The LoginModule would look that token up against some database, and populate the passed-in Subject with some Principal.
It may sound confusing because the terms are quite close (Subject vs Principal, LoginModule vs CallbackHandler) so the docs should be at a close distance.
After you’ve done all of this, you will also need to configure the web container’s policy to load a new login context (yet another very related term). This is like configuring PAM in Linux. Ask your administrator to do this for you.
But you haven’t finished yet. The last task is to write a (I assume you are developing something based on Java Servlet) filter. This filter should be hooked at the very first level. If it sees a special parameter value (such as user_token), it obtains the configured LoginContext object, and calls its login method.
Now, if you scrap JAAS altogether, you could make do with just the servlet filter. In this filter, if authentication is successful, you could populate the session object with your own custom objects (such as a User object) to signify a success. Much more simple.