I have a web app that uses ejb (separately deployed), login is handled via JAAS. Can I get caller principal when accessing unsecured url, after authentication, during current session?
More details follows.
ejb:
Simple EJB is registered in the WAS (WebShere 7). It has one method that prints out the principal:
ctx.getCallerPrincipal().getName();
webapp:
The web application (deployed separately) has 2 servlets. One is mapped to unsecured path and the other one is secured, i.e. its path is registered in web.xml
under <security-constraint>
. Servlets have the EJB injected into them (via @EJB
annotation). EJB binding works. Webapp uses form base authentication, using JAAS: there is a login form with j_security_check
, j_username
etc. WAS is configured to use security (using local operating system) and webapp role is mapped to All Authenticated in Application's Realm.
login works:
To keep it short, above configuration works: if I access the secure page (/secure/index.html
), WAS displays the login form (if not already logged in), where I can enter my username and password and continue with the execution; EJB is called and the principal is fetched, printing out my username. As expected.
accessing unsecured resource after the login
However, if I access the unsecured servlet (/index.html
), EJB *cant get the caller principal and prints out: UNAUTHENTICATED
for user name. This happens regardless I am logged in.
question
Can I get caller principal somehow when accessing unsecured url, after authentication, during current session?
I am not sure if JAAS defines this use case in the spec? Or should I take care of this manually (eg using session and injecting caller principal into thread local).