You can do it by adding a filter for all your data/jsf requests . The filter would verify if the request has Kerberos key/certificate before forwarding the request.
If you want to authenticate your services then you can use something like Spring AOP and add Advise that covers your services
import java.util.Arrays;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
@Aspect
public class KerberosAspectJoinPoint {
@Before("execution(public void com.service...*(*))")
public void kerberosAdvice(JoinPoint joinPoint){
//Verify Authentication and throw error;
}
}
or you can do selective by creating annotation and adding the annotation to your service methods you want to authenticate ,
public @interface VerifyAuth {
}
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
@Aspect
public class KerberosAspectJoinPoint {
@Before("@annotation(com.test.VerifyAuth)")
public void myAdvice(){
//Verify Authentication and throw error;
}
}
But if you plan to cover everything in the application then validating in the filter seems like a good place for web app.
class LoginFilter implements Filter {
public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain) throws
IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
Subject.doAs(lc.getSubject(), new LoginAction(chain,
request,response));
}
}
class LoginAction implements java.security.PrivilegedAction {
private HttpServletRequest request;
private HttpServletResponse response;
private FilterChain chain;
public LoginAction(HttpServletRequest request,
HttpServletResponse response, FilterChain chain) {
this.request = request;
this.response = response;
this.chain = chain;
}
public Object run() {
doForward(request, response, chain);
return null;
}
private static void doForward (HttpServletRequest request,
HttpServletResponse response, FilterChain chain) {
chain.doFilter(request, response);
}
}