Search code examples
javasecurityjboss7.xjaas

Java and Jboss7: j_security_check Custom Implementation

I have this case : A login form uses DatabaseServerLoginModule - all authentication data are stored in the database in Seperated Tables i need to pass flag j_usertype [ from drop down list ] to j_security_check that DatabaseServletLoginModule can switch between the tables and bring particular user.

any ideas....?

Solution

  • You can easily add more parameters to the login form. You'll need to write your own login module, of course. The problem is then getting the added parameters into the login module!

    There is no standards-compliant way to add extra parameters to the j_security_check as such (which is a shame - lots of people have needed to do this).

    However, there is a crafty way to achieve the same effect. There is an obscure but useful security specification called the Java Authorization Contract for Containers (JACC). It does a number of things; one of the more obscure and questionable is that it gives you a way to access various objects related to the current request from anywhere in the call stack. You do this using the PolicyContext class, which has a static method getContext. This obtains objects from "policy context handlers" identified by string keys. Some such handlers are required in the specification, including:

    4.6.1.3 HttpServletRequest Policy Context Handler

    All Servlet containers must register a PolicyContextHandler whose getContext method returns a javax.servlet.http.HttpServletRequest object when invoked with the key “javax.servlet.http.HttpServletRequest”. When this handler is activated, the container must return the HttpServletRequest object corresponding to the component request being processed by the container.

    Putting that together, you can do:

    HttpServletRequest request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest")

    Once you have a HttpServletRequest, you can easily get arbitrary request parameters with getParameter.

    I am duty-bound to point out that i am not the first person to suggest this. That answer also suggests the slightly better form:

    HttpServletRequest request = (HttpServletRequest)PolicyContext.getContext(HttpServletRequest.class.getName())