2
votes

I am developing a JSF 2 application running under JBOSS Wildfly, which utilizes Java's JAAS security mechanism.

Everything works as expected and I can login using the request.login(username, password) mechanism.

I also have a requirement to authorize a device (which I have implemented using cookies) as part of the login processs. The process I am trying to implement is as follows;

  1. Validate username and password (but not log them in)
  2. Check device authorization and redirect to the authorization process pages if not already authorized).
  3. Login (if authorization is successful)

I don't want to log the user in unless they are authorized, and I don't want to go through the authorization process unless the username and password is correct.

So I need to verify the credentials are correct without actually logging the user in. I can do this manually via a database query, but I was wondering if there is a way to do this via JAAS.

Any ideas? Rich

1
What do you mean by "without logging in"? Which is the specific step you want to avoid? Showing a logging form/popup? Retrieving its roles? - SJuan76
I don't want to perform a JAAS login (by calling request.login(username, password)) I would like to call something like request.checkCredentials(username, password) to get a boolean response as to whether the username and password are valid, but without actually logging them in. But checkCredentials() obviously doesn't exist - i was looking for similiar functionality from JAAS. - Richard Clarke

1 Answers

1
votes

There is no standard way to check credentials in JAAS/JEE. However you might log in and immediately log out user:

HttpServletRequest request = (HttpServletRequest) FacesContext
        .getCurrentInstance().getExternalContext().getRequest();
try {
    request.login(name, password);
    request.logout();
    isValid = true;
} catch (ServletException e) {
    isValid = false;
}

ServletException means that user is not valid (or other error occurred).

You can also use internal JBoss class org.jboss.security.AuthenticationManager and its isValid(..) method. See example. But this binds you to JBoss AS/Wildfly.