Programmatically logging in with PostgresRealm
101 views
Skip to first unread message
Robert L. Kirby
Apr 27, 2022, 12:45:55 PM4/27/22
to WildFly
How can a POST request programmatically log a new user in? Wildfly 26 contains an EAR with a WAR with most authentication via a FORM, which accesses a PostgresRealm with PostgreSQL 11 tables of users and roles via a Datasource. However, when a potential new user POST requests their proposed user name, password with verification, and other relevant information, previous versions of the EAR running on JBoss 5.1 could use org.jboss.web.tomcat.security.login.WebAuthentication login(name,pwd) method to automatically authenticate the new user, who has supplied and verified their password, which an EJB had added to the database. Asking the user to supply credentials yet again seem unnecessary and annoying. After logging in, the POST response would display an editable profile for the new user in their browser.
Bob
Bob
Diana Krepinska
Apr 28, 2022, 9:20:55 AM4/28/22
to WildFly
Programmatic login can be achieved by obtaining a current SecurityDomain and by using one of the authenticate methods which will give you a SecurityIdentity. Then you can use one of the runAs methods of the Securityidentity, if this is what you need. Btw there is an example that updates/displays the user's attributes here if it helps.
Robert L. Kirby
May 1, 2022, 7:49:17 PM5/1/22
to WildFly
Since the new username and password were just created, authentication should be straightforward. However, the Tomcat WebAuthentication.login did many activities within its call from a HttpServlet including:
- Finding or creating an HttpSession.
- Installing authentication information in the HttpSession.
- Propogating single-sign-on.
- Generating session cookies (if the user allows).
- Preparing for HttpServletResponse.encodeURL when cookies are not allowed.
What are the Undertow interfaces to perform such activities? Will just creating a SecurityIdentity do it all?
- Finding or creating an HttpSession.
- Installing authentication information in the HttpSession.
- Propogating single-sign-on.
- Generating session cookies (if the user allows).
- Preparing for HttpServletResponse.encodeURL when cookies are not allowed.
What are the Undertow interfaces to perform such activities? Will just creating a SecurityIdentity do it all?
On Thursday, April 28, 2022 at 6:20:55 AM UTC-7 Diana Krepinska wrote:
Programmatic login can be achieved by obtaining a current SecurityDomain and by using one of the authenticate methods which will give you a SecurityIdentity. Then you can use one of the runAs methods of the SecurityIdentity, if this is what you need. Btw there is an example that updates/displays the user's attributes here if it helps.
Robert L. Kirby
May 19, 2022, 7:44:36 PM5/19/22
to WildFly
Since Servlet 3.0, the HttpServletRequest interface has specified login and logout methods. The new login method acts as a replacement for Tomcat WebAuthentication.login. No explicit access of the SecurityDomain is needed.
I still invalidate my session to logout rather than use the new logout method, which might leave remnants of the session.
Bob Kirby
I still invalidate my session to logout rather than use the new logout method, which might leave remnants of the session.
Bob Kirby
Diana Krepinska
May 25, 2022, 8:01:57 AM5/25/22
to WildFly
Yes you are right, when migrating from the tomcat's WebAuthentication.login this method is more appropriate: https://jakarta.ee/specifications/platform/8/apidocs/javax/servlet/http/httpservletrequest#login-java.lang.String-java.lang.String- . The deployment should have security configured as normal. The SecurityDomain doesnt have to be accessed.
Reply all
Reply to author
Forward
0 new messages