Login to webapp2 from webapp1 using JAAS

Question

I have two java webapps who run on the same jboss server but in a different domain:

• http://host:port1/context1/
• http://host:port2/context2/

All content from both websites is secured by using a JAAS loginmodule. I would now like to create a button inside app1 to go to a page on app2. As predicted, I'm presented by the loginscreen from app2. I can succesfully login.

However, users on both webapps are actually the same. that means that username/passwords that are valid for app1 are also valid on app2. I would like to program something to bypass the redundant security check. If app 1 wants to access a page from app2, I would like to somehow pass along the j_username and the j_password to app2 sothat app2 can immediately perform the security check. It's not a problem if I have to create additional controller or jsp and use a redirect in this process. How can I directly pass a j_username and j_password so that the loginscreen is no longer shown, but the security check is still performed?

Answer 1

What do you need is to implement Single sign-on (SSO) using JAAS. Here you can find a tutorial that is using LDAP as login modules, but you will get the idea.

Since you already have the JAAS part already configured, you will only need to focus on the SSO part described starting with page 3. Basically, the idea is to configure one of the modules to share the state using useSharedState=true with the other application.

In your LoginModule you will use something like:

public boolean login() throws LoginException{
  // ...
  String username = null;
  String password = null;
  // check if useSharedState is true, if it is true, use the 
  // username/password from shared state.
  if ("true".equalsIgnoreCase(option_.get("useShardState"))) {
    username = (String)sharedStateMap_.get("javax.security.auth.login.name");
    password = (String)sharedStateMap_.get("javax.security.auth.login.password");
  } else {
    // get the username and password from the CallbackHandler
    Callback [] callbacks = {new NamePasswordCallback()};
    handler_.handle(callbacks);
    username = callback.getUserId();                
    password = callback.getPassword();
    //save the username and password into the shared state
    sharedStateMap.put("javax.security.auth.login.name",username);
    sharedStateMap.put("javax.security.auth.login.password",password);
  }
  // ... communicates with data store to authenticate this user     
}

Since in your other question, you mentioned that you are using JBoss, since JBoss version 5.0, you can use:

<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"></Valve>

This will handle the SSO automatically for you, if you are using the WebAuthentication class.