OpenID in Java EE 6 application - how to get Principal object for user

Question

I'm playing with OpenID authentication in my app for the first time. I can successfully authenticate user against choosen provider, but I don't know how to correctly login user on a Java EE server, so that it looks like user was logged in with e.g. form-based login. I could use Servlet 3.0 login but it takes username/password pair and I don't have passwords when using OpenID.

I'd like to be able to get a Principal object and use isUserInRole method etc. Am I missing something? I'm running this app on JBoss 7.1, but I suppose there should be a common way to do that. Or maybe I'm missing something and all that stuff with Principal and user roles is done differently when using OpenID?

Answer 1

I suppose there should be a common way to do that.

There indeed is. You need to create a so-called JASPIC authentication module. There already is one available for OpenID, see:

• http://www-02.imixs.com/roller/ralphsjavablog/entry/openid_serverauthmodule_jsr_196_with
• http://code.google.com/p/openid4java-jsr196

I could use Servlet 3.0 login but it takes username/password pair and I don't have passwords when using OpenID.

That's correct. You therefor need to call the Servlet 3.0 authenticate method instead. Because login is strongly tied to username/password it will even throw an exception in Java EE 7 when you have defined your own auth module! (in Java EE 6 it's undefined what happens, but it typically just doesn't work).

For some more examples of how to create OpenID-like auth modules in Java EE, see my own project OmniSecurity and an actual application making using of an earlier version of that project. (unfortunately the code is a bit difficult to follow since it needed an extremely complex and convoluted workaround to get CDI to work with a JASPIC SAM, but hopefully it still allows you to see the general pattern)