Recipe 15.8 Using JAAS in a Servlet

Problem

You want to authenticate servlet clients with JAAS.

Solution

Create a JavaBean that wraps the functionality of the JAAS API classes that you have included in your web application.

Discussion

Using JAAS in a servlet requires that you have a LoginModule installed in your web application, either in WEB-INF/classes or stored in a JAR file in WEB-INF/lib.

Example 15-12 shows a servlet named LoginServlet that implements JAAS authentication. This servlet uses the CallbackHandler described in Recipe 15.5. This CallbackHandler must also be placed in WEB-INF/classes or included in a JAR stored in WEB-INF/lib. A browser request for this servlet looks like:

http://localhost:8080/home/servlet/com.jspservletcookbookLoginServlet?userName=Bruce%20W%20Perry&password=bwp1968

Use a POST request from an HTML form in conjunction with SSL (Recipe 15.2) if you want to use the much more secure strategy of keeping usernames and passwords out of visible URLs.

Example 15-12. A servlet for authenticating and logging in clients

package com.jspservletcookbook;           

import javax.servlet.*;
import javax.servlet.http.*;

import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.callback.CallbackHandler;

public class LoginServlet extends HttpServlet {

  public void doGet(HttpServletRequest request, 
    HttpServletResponse response)
      throws ServletException, java.io.IOException {
    
      //The CallbackHandler gets the username and password from
      //request parameters in the URL; therefore, the ServletRequest is
      //passed to the CallbackHandler constructor
      WebCallbackHandler webcallback = new WebCallbackHandler(request);

      LoginContext lcontext = null;

      boolean loginSuccess = true;
    
    
      try{
    
          lcontext = new LoginContext( "WebLogin",webcallback );
          
          //this method throws a LoginException
          //if authentication is unsuccessful
          lcontext.login( );
    
      } catch (LoginException lge){
    
          loginSuccess = false;
    
      }

          response.setContentType("text/html");

          java.io.PrintWriter out = response.getWriter( );

          out.println(
          "<html><head><title>Thanks for logging in</title>"+
          "</head><body>");

          out.println("<h2>Your logged in status</h2>");
      
          out.println(""+ ( loginSuccess ? "Logged in" : 
            "Failed Login" ));
      
          out.println("</body></html>");
      
  } //doGet
     
  public void doPost(HttpServletRequest request, 
       HttpServletResponse response) throws ServletException, 
       java.io.IOException {
           
      doGet(request,response);
                 
  } //doPost

} //LoginServlet

This servlet:

Creates a WebCallbackHandler (Example 15-10) and passes the ServletRequest into the constructor (from where the CallbackHandler gets the client's name and password).
Creates a LoginContext object with two constructor parameters: the name of the login application (from our configuration file in Recipe 15.6, "WebLogin") and the WebCallbackHandler object.
Calls the LoginContext 's login( ) method, which beneath the surface calls the DataSourceLoginModule 's login( ) method (from Example 15-9), in order to perform authentication.

Figure 15-7 shows the web browser output when an attempted login using this servlet succeeds.

Figure 15-7. The LoginServlet signals success