JAAS automatic login without showing a login page/form

Question

I have a java webapp that uses Spring MVC. the webapp is running on a jboss AS7.1 server that uses the JAAS login module with form-authentication. Logging in works smoothly when the user fills in his username and password on the form.

I would now like to create a java controller that "logs a user in" as if the user filled in the loginform.

public void logInProgrammatically(String username, string password)
{
    //???
}

When the method above finishes, any access to any secured page should be allowed because the user is considered logged in.

Can this be programmed by accessing Jboss's implementation of the loginModule, and setting some property?

Answer 1

You can use the JAAS standard classes to achieve the authentication programatically. Lets say we are using our custom LoginModule implementation (or any standard implementation), com.sample.CustomLoginModule. This login module is configured in jboss configuration XML.

Step 1: Define a security domain in JBoss. For other servers, the same information can be configured in JAAS config.

<security-domain name="customlogin" cache-type="default">
    <authentication>
        <login-module code="com.sample.CustomLoginModule" flag="required">
        </login-module>
    </authentication>
</security-domain>

Step 2: Use custom login module to login user programatically.

public void logInProgrammatically(String username, string password){
    CallbackHandler handler = //use proper implementation to capture username and password arguments.
    LoginContext ctx = new LoginContext("customlogin", handler);
    ctx.login();

}

With this solution, you are not bound to specific Application server APIs. This code is portable across any application server with JAAS config changes.

For programatically authenticate using JAAS, see the tutorial from Oracle: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html