Access unsecured resource that uses EJB after succesful JAAS login (WebSpere 7)

StackOverflow https://stackoverflow.com/questions/17995250

Question

I have a web app that uses ejb (separately deployed), login is handled via JAAS. Can I get caller principal when accessing unsecured url, after authentication, during current session?

More details follows.

ejb:

Simple EJB is registered in the WAS (WebShere 7). It has one method that prints out the principal:

ctx.getCallerPrincipal().getName();

webapp:

The web application (deployed separately) has 2 servlets. One is mapped to unsecured path and the other one is secured, i.e. its path is registered in web.xml under <security-constraint>. Servlets have the EJB injected into them (via @EJB annotation). EJB binding works. Webapp uses form base authentication, using JAAS: there is a login form with j_security_check, j_username etc. WAS is configured to use security (using local operating system) and webapp role is mapped to All Authenticated in Application's Realm.

login works:

To keep it short, above configuration works: if I access the secure page (/secure/index.html), WAS displays the login form (if not already logged in), where I can enter my username and password and continue with the execution; EJB is called and the principal is fetched, printing out my username. As expected.

accessing unsecured resource after the login

However, if I access the unsecured servlet (/index.html), EJB *cant get the caller principal and prints out: UNAUTHENTICATED for user name. This happens regardless I am logged in.

question

Can I get caller principal somehow when accessing unsecured url, after authentication, during current session?

I am not sure if JAAS defines this use case in the spec? Or should I take care of this manually (eg using session and injecting caller principal into thread local).

Was it helpful?

Solution

You probably should change default behavior for web authentication which is not to provide authentication data for unprotected URLs. The option "Use available authentication data when an unprotected URI is accessed" should be enabled.

enter image description here

Overall, I strongly recommend reading WebSphere Application Server V7.0 Security Guide for understanding how security works in WAS.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top