achabahe achabahe - 19 days ago 6
Java Question

How to authenticate and create session programmatically in security context

Hi i have an application that uses its own implementation for user to authenticate ,by saving a User pojo in the HttpSession and invalidating that HttpSession Object when the session is done, but what i want to do is to use the security context to authenticate the user.
let's say that i have servlet AuthenticateUserServlet:

public void doPost(HttpServletRequest req,HttpServletResponse resp)
throws ServletException,IOException{
String username=req.getParameter("username");
String password=req.getParameter("password");
if(Authenticator.check(username,password)){
HttpSession session=req.getSession(true);
session.setAttribute("user",Authenticator.getUser(username));
PrintWriter out= req.getWriter();
out.println("<h2>Welcome</h2>");

}else{
PrintWriter out= req.getWriter();
out.println("<h2>the password or username are incorrect</h2>");
}
}


the code above won't give me the power of security context so what i wan't is when i check that the user is ok to login tell in someway the security context that this user can access here are his roles
something like this inside my AuthenticateUserServlet:

public void doPost(HttpServletRequest req,HttpServletResponse resp)
throws ServletException,IOException{
String username=req.getParameter("username");
String password=req.getParameter("password");
LoginContext lc = new LoginContext("my-jaas",new MyCallbackHandler(username,password));
try{
lc.login();
//notice i have not save any thing in the HTTPSeession
//i want my container to remember this user like what happens in the
// form based authentication where nothing gets saved in the httpSession
// but the user keeps logged in(cartalina uses a session object not httpsession for that)
PrintWriter out= req.getWriter();
out.println("<h2>Welcome</h2>");
}
catch(LoginException e ){
PrintWriter out= req.getWriter();
out.println(e.getMessage());
}


}


i have created my own LoginModule ("my-jaas") and it works fine when i configure Form-Based authentication to work with it in tomcat7.

flo flo
Answer

With Servlet 3.0, there is a login method in HttpServletRequest (https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)) so you can login like

public void doPost(HttpServletRequest req,HttpServletResponse resp)
 throws ServletException,IOException{
     String username=req.getParameter("username");
     String password=req.getParameter("password");
     try{
        req.login(username, password);
        PrintWriter out= req.getWriter();
        out.println("<h2>Welcome</h2>");
     } catch(ServletException e ){
        PrintWriter out= req.getWriter();
        out.println(e.getMessage());
     }        
}
Comments