How to override j_security_check in glassfish?

Question

I'm currently using FORM based authentication in glassfish v2.1 to log users in and it works fine. I want to switch to ProgrammaticLogin and I want to be able to get the initially requested URL (i.e. before redirecting to login page) and use it in my programmatic login code so that the user is redirected back to the requested page after authentication.

I've seen the source code for j_security_check - in my case that's FormAuthenticator (catalina codebase) and it saves the initial request in a SavedRequest object in the session but that session is a StandardSession rather than HttpSession so there's no direct way to access it.

Or should I change the authentication mechanism from FORM to something else?

Thanks!

Answer 1

Ok, I found the answer. So here it is:

Basically what I was trying to achieve was to implement an openid-based authentication mechanism in glassfish. One way of doing that is to use ProgrammaticLogin but this has a few drawbacks - no easy way of redirecting back to requested URL and programmatic auth means more work for the programmer. So after reading around I found the better way to achieve my goal - Server Authentication Modules or SAMs. This is part of a standard process described in JSR-196 and provides a way for creating pluggable auth modules for glassfish (ie. different than the standard FORM, BASIC etc.). This method allows you to plug new auth modules in the servlet container while keeping your declarative security model.

So all I need to do is write my own custom SAM. Here's a quick how-to:

1. Implement the ServerAuthModule interface which mostly boils down to the following method:

   AuthStatus validateRequest(MessageInfo messageInfo, security.auth.Subject clientSubject, security.auth.Subject serviceSubject) throws AuthException

2. Package your SAM in a jar, and place your jar in the glassfish lib directory.

3. Configure the SAM for use with your application. This is done in 2 steps:

   • Define your SAM as a message-security-provider in domain.xml.
   • Bind the SAM for use with your application. You can do this by defining the httpservlet-security-provider attribute in the sun-web-app.xml of your app. Set the value of the attribute to the name you assigned to your SAM in step 1.

For more info read this great tutorial by Ron Monzillo.

UPDATE: There is a simpler and more elegant solution to this problem called AuthenticRoast. This is a Java library written by Aike Sommer which allows you to write your own pluggable authenticators.

Answer 2

If form authentication is not working for you, I would recommend switching to using a ServletFilter for authentication. You just get rid of your FORM based auth and add a mapping to the filter for the pages you wanted protected.