Pluggable Authentication in the Glassfish Web Tier
By monzillo on Jan 22, 2008
JSR 196 defines a generic SPI that extends the concepts of JAAS to the authentication of network messages. The spec defines profiles that establish contracts for the use of the SPI in specific contexts. The first profile defined in the spec is called the Servlet Container profile. This profile defines what a compatible Servlet container must do in order for it to support integration of portable JSR 196 compatible server authentication modules (i.e., SAMS). The profile also establishes the requirements that must be satisfied by a SAM for it to be pluggable in a compatible Servlet container. The spec and its associated javadocs may be found at JSR 196
Glassfish is a compatible implementation of the Servlet Container Profile and you can see a sample SAM (for use in any compatible Servlet container) at SPNEGO SAM. It is relatively easy to implememt a SAM, and I will be making more samples available (e.g., an OpenID SAM) for people to learn from and try out. Also the SPI is planned for inclusion in EE 6.0.
The SPI and the Servlet Container Profile:
- the SPI defines a subject based contract that allows the SAM to, return more than just a single principal and to do so without reliance on proprietary apis.
- The SPI also defines callbacks that are made available to the SAM, so that the SAM can enlist services of the container including for the purpose of distinguishing the "user" principal among those in the returned subject, to establish group principals in a form understood by the container authorization system, to validate a username and password at the realm bound to the application, or to gain access to the keystores of the container.
- The profile makes it possible for the SAM to manage sessions, by ensuring that the SAM is called independent of whether an authentication session has already been established, and with sufficient context so that the SAM can force authentication for requests to resources which are covered by a Servlet auth-contraint.
- write a ServerAuthModule (i.e., a SAM) which mostly boils down to implementing the following method:
AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException;The Servlet Container Profile defines what will be passed to the SAM via messageInfo (i.e., the HttpServletRequest, HttpServletResponse, and a Map of property values).
- package your SAM in a jar, and place your jar in the glassfish lib directory.
- configure the SAM for use with your application. This may be done in 2 steps:
- Define your SAM as a message-security-provider in domain.xml (see the example in To create an JSR196 httpservlet provider).
- Bind the SAM for use with your application. You can do this by defining the httpservlet-security-provider attribute in the sun-web-app.xml corresponding to your app. The value of the attribute would be set to name you assigned to your SAM step 1.
ps: I described how you can use one of the config systems that is bundled with Glassfish to configure a SAM for use with your application. You can also use JSR 196 to replace the config system and thereby change the way the SAM would be configured...More on that later.