JAAS, Servlets, and Authentication

Hi,

I've been trying to get JAAS authentication working in a web based application and am running into some problems - I'm hoping that someone can clarify.

Ideally, I would like to set up form-based authentication on the web app, authenticate the user ONCE, and the have the app server (servlet engine) remember that the user has been authenticated (Servlets 2.2 Single Sign-on style) and not require further logons. From there, it seems natural that the subject associated with the user would be fed as the context for any subsequent method calls requiring authorization.

All of the discussions and examples that I've seen involve a client java application instantiating the LoginContext and executing one or a series of method calls. My question is: What happens when you login through a servlet in a traditional web app and establish a session? Does the users have to pass his/her credentials every time? I could store the Subject on the HttpSession object and obtain the Subject and redo authentication each time but that seems silly. Is a sessioned web-based scenario not appropriate for JAAS or am I missing something?

Has anyone accomplished this with Tomcat/JBoss?

Also, what is the proper usage of the doAs() method and action class? It also seems odd that a client would have to call these methods prior to executing any code that required authorization (given that the user has a session). It seems like that would be a perfect job for an App Server to handle - right?

[1535 byte] By [eglerk] at [2008-1-25]