Question
I have a CustomLogin Module on my server-side JBoss EAP 6.2.0 SecurityDomain. This Custom LoginModule requires three CallbackHandlers: NameCallback (Java Standard), PasswordCallback (Java Standard) and an additional OtpCallback (implemented by myself, for a one time password).
I now want to login to this module via a JSF 2.1 web application. I know that this is usually possible with FORM login, BASIC login, or login via HttpServletRequest#login. But all of them don't let me specify username, password and otp-value. They only allow for username and password.
Therefore I'm seeking for a way to authenticate like with the HttpServletRequestMethod while being able to supply the three credentials.
Thank you very much in appreciation of your help!
N.B.: I've already tried to use
https://stackoverflow.com/questions/21773997
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianLoginContext lc = new LoginContext("MyOtpSecurityDomain", new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for( Callback callback : callbacks ) {
if( callback instanceof NameCallback ){
NameCallback nc = (NameCallback) callback;
nc.setName(username);
} else if ( callback instanceof PasswordCallback ) {
PasswordCallback pc = (PasswordCallback) callback;
pc.setPassword(password.toCharArray());
} else if ( callback instanceof OtpCallback ) {
OtpCallback oc = (OtpCallback) callback;
oc.setOtp(otp);
}
}
}
});
lc.login();
This even calls my server-side custom Login Module, but somehow the login is not propagated to the webapp and the EJBs.
Solution
It seems that this is not possible, at least I wasn't able to propagate or tie the JAAS subject to the HttpSession.
I finally ended up packing the OTP and password into a String and passed the two parameters username and (password+otp) to HttpServletRequest#login(java.lang.String username, java.lang.String password).
Not the most elegant solution, but it works.
