[ Team LiB ] |
Recipe 15.8 Using JAAS in a ServletProblemYou want to authenticate servlet clients with JAAS. SolutionCreate a JavaBean that wraps the functionality of the JAAS API classes that you have included in your web application. DiscussionUsing JAAS in a servlet requires that you have a LoginModule installed in your web application, either in WEB-INF/classes or stored in a JAR file in WEB-INF/lib. Example 15-12 shows a servlet named LoginServlet that implements JAAS authentication. This servlet uses the CallbackHandler described in Recipe 15.5. This CallbackHandler must also be placed in WEB-INF/classes or included in a JAR stored in WEB-INF/lib. A browser request for this servlet looks like:
Use a POST request from an HTML form in conjunction with SSL (Recipe 15.2) if you want to use the much more secure strategy of keeping usernames and passwords out of visible URLs. Example 15-12. A servlet for authenticating and logging in clientspackage com.jspservletcookbook; import javax.servlet.*; import javax.servlet.http.*; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import javax.security.auth.callback.CallbackHandler; public class LoginServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException { //The CallbackHandler gets the username and password from //request parameters in the URL; therefore, the ServletRequest is //passed to the CallbackHandler constructor WebCallbackHandler webcallback = new WebCallbackHandler(request); LoginContext lcontext = null; boolean loginSuccess = true; try{ lcontext = new LoginContext( "WebLogin",webcallback ); //this method throws a LoginException //if authentication is unsuccessful lcontext.login( ); } catch (LoginException lge){ loginSuccess = false; } response.setContentType("text/html"); java.io.PrintWriter out = response.getWriter( ); out.println( "<html><head><title>Thanks for logging in</title>"+ "</head><body>"); out.println("<h2>Your logged in status</h2>"); out.println(""+ ( loginSuccess ? "Logged in" : "Failed Login" )); out.println("</body></html>"); } //doGet public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException { doGet(request,response); } //doPost } //LoginServlet This servlet:
Figure 15-7 shows the web browser output when an attempted login using this servlet succeeds. Figure 15-7. The LoginServlet signals successSee AlsoRecipe 15.6 on creating a JAAS LoginModule; Recipe 15.7 on creating the JAAS configuration file; Chapter 21 on accessing databases with servlets; Sun Microsystems' JAAS developer's guide: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html; a list of JAAS tutorials and sample programs: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html; the Javadoc relating to JAAS configuration files: http://java.sun.com/j2se/1.4.1/docs/api/javax/security/auth/login/Configuration.html; Recipe 15.9 on using JAAS with a JSP. |
[ Team LiB ] |