You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Vincent Delhommois <vi...@voila.fr> on 2006/02/28 09:17:27 UTC

j_security_check and JAAS => GOOD or BAD ?

Hello,
When I look all the JAAS example, I see that you have to use the following code to use the LoginModule, etc...
LoginContext lc = new LoginContext("MyExample");
    try {
        lc.login();
    } catch (LoginException) {
        // Authentication failed.
    }
The "MyExample" is the name that you can retrieve in the jaas.conf.
What is the link between the j_security_check and JAAS ?
Is that a good thing to use j_security_check and my custom LoginModule ? Right works fine exept I don't use the LoginContext lc = new LoginContext("MyExample");
Thanks for your comments.

Re: j_security_check and JAAS => GOOD or BAD ?

Posted by Franck Borel <bo...@ub.uni-freiburg.de>.

Hi Vinc,


> Hello,
> When I look all the JAAS example, I see that you have to use the
following code to use the LoginModule, etc...
> LoginContext lc = new LoginContext("MyExample");
>     try {
>         lc.login();
>     } catch (LoginException) {
>         // Authentication failed.
>     }
> The "MyExample" is the name that you can retrieve in the jaas.conf.
> What is the link between the j_security_check and JAAS ?

You can use JAAS in different contexts. It's not necessary a Tomcat
thing. Tomcat comes with a FORM-authentication, this is what you are
using. Now, to make JAAS works with the FORM-authentication (notice that
the FORM-authentication works also without JAAS!), you use a JAAS-realm.
A JAAS-Realm is a class that implements the class Realm and wraps an
authentification type. This is what I think you mean with "link".

> Is that a good thing to use j_security_check and my custom
LoginModule ? Right works fine exept I don't use the LoginContext lc =
new LoginContext("MyExample");
> Thanks for your comments.

Using j_security_check is always a good idea, if you want to
authenticate a user with username/password and if you don't need any
other results as "user was authenticate" and "user authentication
failed". If you need more than a simple username/password combination to
authenticate a user, like an IP address or other extra attributes you
will need an other tool to do so (or rewrite classes in the
org.apache.catalina.authenticator :-)). To get more sophisticated
results in your error-login.jsp like "account expired" or "insufficient
rights" you will also need something different as j_security_check. 
In this case you can try to use filters.

-best regards

Franck





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org