Tomcat and Jaas authentication servlet in a form-based security constraint

0
votes

I have a security constraint that covers some pages in my web application. The authentication is made with JAAS and form, and it works fine. (I've successfully implemented my LoginModule).

However I need an alternate authentication via servlet.

That's the code of the servlet:

try {
    TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(properties,token);

    LoginContext lc = new LoginContext("myApp", tokenCallbackHandler);
    lc.login();
} catch (LoginException e) {
    e.printStackTrace();
}

Debugging the code I saw that the initialize, login and commit were called without error. The servlet returns an html page with a js that redirect to a protected resource:

function doRedirect() {
    location.href = "/protectedPath/ProtectedResource.html";
}
window.setTimeout("doRedirect()", 1);

But when the browser tried to get the protected page the app server returns to the login page.

What I am missing? It is possible that with the js redirect I'm losing the session cookie? Or, is it possible that the problem is that i'm trying to access (through a redirect) to a protected resource from a unprotected resource?

-- EDIT ---

I've taken a look at the cookies: when I login with the servlet it returns a session cookie and when I try to get a protected resource I can see the browser passing that session cookie to the server, but it seems that it got refused, in fact it respond with another session cookie, going to the login form page

-- EDIT ---

Solved in another way.

After some investigation on tomcat authentication mechanism I realized that what I was trying to do was something wrong.

Having defined a security constraint and a form login config to protect my resources I have tell tomcat to manage authentication in its way. So as long as I didn't pass through tomcat authentication workflow I can't authenticate anything. Also I discovered that it's not possible to configure different login-configuration in the same web application, so having defined form authentication prevents me to authenticate in others way. Probably what I will need is a custom implementations of the class BaseAuthenticator (base class for FormAuthenticator, BasicAuthenticator, etc, containing the code for the respective login configuration) but I'm not sure that it could be a good idea, maybe a security filter will be a better solution.

Knowing anything about security filters in tomcat, I temporarily managed to solve my problem simulating a form authentication in my servlet (really awful, I know).

1
javatomcatservletsjaassecurity-constraint
Are you creating a session anywhere in you servlet code after successful login ?Serge Ballesta
If it gets refused then either the cookie has a path on it that is different, or is it that the cookie is not secure when set, but you're redirecting to a secure endpoint?user4903
good suggestion, I created a new session in the servlet, but nothing changed, however now I try to play with the intestation, form what i could see form authentication return a set-cookie header.Stefano Vercellino
I'm redirecting to a page that is in the path covered by the security-costraint. Maybe the cookie is not secure? I have to chek, from now I could see that the cookie start from the browser when i call my servlet and the servlet return that same cookie.Stefano Vercellino
Is the value of the cookie changing? After logging in, inspect the value of the cookie, and then after the redirect inspect the value. If they are different then that could explain it.user4903

1 Answers

0
votes

If you want to do serious work with authentication and authorization management, you should considere using a well established framework such as Apache Shiro or Spring Security. The latter at least allows for concurrent authentication schemas (basic http and login form as a default but many others possible)