3

We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).

We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).

Is this a JAAS thing? Is there a WebLogic call?

Improve this question

2 Answers 2

Reset to default
2

You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you very much for the reply Arjan. Unfortunately, in our case, we are not using Servlet 3.0. We are using Servlet 2.5 and the login (and authenticate) methods are not supported. Is there anything like this in the 2.5 version?
In Servlet 2.5 there's nothing like this unfortunately. JBoss and GlassFish both have a proprietary mechanism, but I don't know if this is available in WebLogic. Might be worth a shot to look for it.
Thank you again, Arjan, for responding.
0

WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.

Writing and configuring security providers is extensively documented.

If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.