General J2EE: Can I use JAAS to authenticate within a servlet?

  1. Is anybody out there using JAAS from within a servlet to do web user authentication, rather than use the login-config mechanism available in the web-app deployment descriptor?
  2. Yes I am doing it from some code called from JSP.

  3. Thanks for your reply,

    Did you write your own custom login module? What type of authentication are you doing? I'm currently putting together a prototype of a user/password authentication using our database, but I feel like I'm walking on new ground. It would help to here your experiences or see some sample code if you have any that you could make available.

    -- Corey

  4. I am still looking for input from the community on how they are doing Web authentication. Do you allow the container to manage your security? Or do you use a third-party security system (for example, Netegrity)? Or are you using a proprietary / in-house mechanism? Possibly, are you using JAAS to authenticate users in your servlets, rather than use the declarative security in the deployment descriptors?

    Any comments or input would be much appreciated.


    I feel like I should allow the container to manage security, but I am unhappy with security implementation I get with Weblogic 6.1. There are some pecularities in the behavior that I am having a hard time getting past.

    For example, (assuming FORM auth-method) when a user attempts to access a protected resource and is challenged with the login page, there are two possible fail scenarios from the login. 1) The authentication identity (ex, username/password) provided was invalid. Or, 2) The identity was valid, but the user does not have rights to the resource. Unfortunately, the container treats both of these conditions generically, as a failure, and sends both to the same error page. It would be much nicer if either 1) the spec allowed me to specify different error pages, or 2) if the container would send an attribute along to the error page that indicated the reason for the failure. Otherwise, I am forced to craft a message to the user that attempts to explain both the possible cases for the error, which is somewhat difficult to do.