jsfjakarta-eeauthenticationjaasjaspic

Automatic login with HttpServletRequest and LDAP


I have a JSF web application that uses cookies for automatic authentication without prompting for username & password. It uses a cookie with username and a random UUID, and uses a WebFilter for redirection.

When there are no cookies on the client side, the authentication is done through HttpServletRequest #login(String username, String password). Behind the scenes, this approach uses JAAS authentication, and uses a LDAP server behind.

My problem comes when my application recognizes the user through the cookies holding the userid and the UUID. In this situation,

  1. the application doesn't know the password, so the method HttpServletRequest #login(String username, String password) cannot be used.
  2. Should I ask the password to the LDAP server through JNDI? This doesn't seem to be possible at a first glance
  3. Alternatively, I could store the password in my db. But this would mean duplication of information, and I don't like it.
  4. I have seen around people simply setting the attribute "role" to the session, but this doesn't seem to be equivalent to a JAAS login. With "equivalent" I mean being able to use isUserInRole() and getUserPrincipal() methods.

So, the question is: how am I supposed to log in the user in this case? I hope that the question is clearer now.

EDIT

In order to let the code speak, I add a simplified version of the Managed Bean:

@ManagedBean
@SessionScoped 
public class loginBean() {
    private String username = null;
    private String password = null;
    private UUID uuid = null;
    private boolean rememberMe = false;

    public void doLogin() {
        checkCookies();   // this method sets the property values after checking if 
                          // username & uuid match the ones saved previously
        if (username != null && uuid != null && rememberMe) {
            // authenticate automatically. Here I don't know how to proceed, because 
            // I don't have the password, unless I have saved it in the application's db,
            // duplicating it because it's already in LDAP server.
        } else {
            httpServletRequest.login(username, password);  // this uses LDAP behind JAAS
            createCookies();  // this method also saves username & uuid in the app's db
        }
    }

Solution

  • To do an actual container login in a custom way (in your case via an cookie and UUID instead of the password), you need to create your own login module.

    The dedicated API in Java EE for this is JASPI/JASPIC (people can never quite agree on the name, complicating eg google queries).

    A login module is in full control and does not have to authenticate with the ldap server (if your app can locally verify with 100% certainty that the cookie is valid). You probably do have to authorize the user (ask the ldap server for the roles/groups the user has).

    As an alternative to JASPI/JASPIC you can also look at the proprietary login module mechanism that your server is using.