37 Responses to “Perform a JAAS programmatic login in Jboss – try to solve the “empty” remote user problem”

  1. Anil Saldhana Says:

    Glad that you found our “Programmatic Web Login” feature useful.

  2. roneiv Says:


    Yes, indeed! I really welcome this feature 🙂 I left a message for you at your blog, but thanks anyway!

  3. Rami Says:

    hey man,

    sorry to bother you, but i am quite desperate with the following:

    as you seem to be an expert on JBoss JAAS i will really appreciate some help here.


  4. roneiv Says:

    Rami, I’ve posted a reply on the thread you were pointing to, hopefully this will be able to solve your problems. As soon as I have time I will also do a post here using the same examples.

    Regards, Eivind

  5. Using WebAuthentication in Jboss « Eivind’s Weblog Says:

    […] Perform a JAAS programmatic login in Jboss – try to solve the “empty” remote user p… Blog at WordPress.com. • Theme: Garland by Steven Wittens and Stefan […]

  6. Alex Says:

    hey Eivind,

    i’m not the lucky one because i’m using jboss 4.2.0. Have you any idea where i could find some more information about the “longer path to walk”… to get the login information to the web tier ?


  7. roneiv Says:


    Sorry I haven’t replied to your comment before now, for some reasons it was picked up by Akismet and put inside the spam folder.

    But I would have to dissappoint you when it comes to your question, I spent a lot of time and tried a lot of stuff to do a proper programmatic logon with jboss versions prior to 4.2.2, but didn’t succeed..

    I guess if you want to dig into it a place to start could be the source code for jboss and see what the j_security_check actually does, and then figure out if you’re able to redo this programmatically.

    But for me digging this far was not worth it as I didn’t have any negative consequences/problems upgrading to 4.2.2, and then there was a solution ready to use..

    Sorry I couldn’t be of more help!

  8. MakkaPakka Says:

    This is great, a big improvement.

    However, how do we get the exceptions thrown from the login module?

    For instance, my custom login module may throw a credential expired exception or fail when logging into an external host system. How do I get that exception when using WebAuthentication so I can act accordingly?

    A bool flag just doesn’t cut it.

    Thanks for the article.

  9. roneiv Says:

    Hi MakkaPakka,

    It is a very good question you ask, I struggled with the same, and unfortunately I didn’t find any good answers. I had a look at the source of WebAuthentication, hoping that I could override the login() method and perhaps return some status codes depending on login-module, but I didn’t manage and didn’t have too much available time to look into this.

    Still I felt like using the programmatic login insted of old j_security_check, so I did some sort of a “workaround” by using a class I named LoginManager. The LoginManager has methods like doesExist(), isActive(), hasExpired() and so on. So I basically do some testing myself before passing the username/credentials on to the WebAuthentication login-method. The big downside by doing something like this is that you in many ways need to duplicate the work done by the login-module, and your LoginServlet also needs to have “knowledge” about what type of authentication store you use (db,ldap,properties-files etc).

    Hopefully there will be some more possibilities handling this with jboss 5 🙂



  10. MakkaPakka Says:

    Thanks for the reply Eivind.

    This has been a source of frustration for some time now. It’s a massive problem with the environment.

    I tried using a LoginContext directly and making a bean call to force the authentication, but that only partially works as you’re still not authenticated in tomcat.

    Not being able to get the precise authentication errors in this day and age is ridiculous.

    If I have any joy I will share it here.

  11. MakkaPakka Says:

    Take a look at org.jboss.web.tomcat.security.HttpServletRequestLoginModule in jboss. Think you can stash the failure in the session and then get it back in your bean when WebAuthentication.login fails.

    Hacky but may well work.

    I will try it and let you know.

  12. Prem Says:

    This is a very good post. WebAuthentication class was a very handy class. It solves many of my problems in using j_security_check. In my experiance its better to do programmatic web authentication (ActiveAuthentication) than relying on the j_security_check (not a flexible implementation at all).

  13. Prem Says:

    Hi Eivind
    I got a question. Is there any standard way to pass some thing else other than the status of the authentication,authorisation form loginmodules.

    In my scenario i have to login to a thrid party system and when i login they give a session id (of that system ) and all subsequent request to that system requires this id. So basically when the user access my app there are 2 login modules. These are chained. One is the sites own login and other is the loginmodule for the 3rd party system. My current solution is to insert the session id got from the 3rd party system to a database from the loginModule and pick it from the action class from the web tier. Is this the correct method or any other standard method exists for the same ?

  14. roneiv Says:


    Thank you for your interest in my post. 🙂

    Unfortunately I don’t know of any standard way of handling the scenario you described. Do you pass the session id to the 3rd party system as a url-parameter?

    The only idea I can think of, If you don’t want to handle this in your action class, is to use a filter that on all requests set this parameter for you. Or, I guess there could be possibilities to use something like the org.jboss.web.tomcat.security.HttpServletRequestLoginModule, during login set this id in the session and retrieve it from there? I’ve never tried this myself, but I’ve heard others speaking of such possibilites.

    Sorry I couldn’t help you out more on this. 🙂

  15. Prem Says:

    Hi Eivind,

    Thanks for the reply. I think the HttpServletRequestLoginModule sounds a good option.
    I can add this module also to the JAAS chain and from this module i can set the value in session.

  16. George Hatg Says:

    Hi guys,

    Unfortunatelly the LoginContext.login() method did not work for me! Login is performed accordingly to my DatabaseLoginModule but when the pages does not authenticate and tomcat remains unauthenticated leaving the login page…

    I even placed a filter making a login but tomcat still remains unauthenticated!

    Any suggestions?

  17. roneiv Says:


    To be able to help you I need a bit more information.. 🙂

    I don’t know why your LoginContext.login() doesn’t work, but the best way to start is to get some more debug about what’s going on. Have a look at this page (http://www.jboss.org/community/docs/DOC-12198) and add the debugging statements for the sequrity layer. Then see if you get some more information.

    Also, I can say that for jboss the role ‘Roles’ are required for all users to be able to log on. 🙂

  18. Andrei Says:

    Hello everyone

    I am am struggling to implement this solution. I am using jboss-4.2.2.
    loginContext.login() completes successfully ( I am using DatabaseServerLoginModule) but webAuthentication.login(name,pass) throws exception.

    llegalStateException: request is null at org.jboss.web.tomcat.security.login.WebAuthentication.login(WebAuthentication.java:80)

    What am I missing? Can somebody give a hint please?

    Thank you

  19. roneiv Says:


    If you have the time you could perhaps test the scenarios described in this post? https://roneiv.wordpress.com/2008/03/15/using-webauthentication-in-jboss/
    Just to be able to discover where the error might be. 🙂

    The source of your problem could be different things, the login-config.xml, the web.xml etc.

    In login-config, have you remembered to include the “Roles” role in your roles-query? It is a mandatory group in jboss, without it authentication fails.

    Also, in your web.xml you need to have at least ONE role defined in auth-constraint that is a valid role for the user you try to log on with. 🙂

    Possibly you could also add debugging statements of the security layer to see if something strange is going on. Follow the explanations here: http://www.jboss.org/community/docs/DOC-12198)

    Good luck!

  20. Micah Says:


    Im running into the same problem with JBOSS 4.2.2. Has anyone found a solution.



  21. Jigna Joshi Says:

    I have tried Programmic WebAuthentication in JBoss portal 2.6.6..
    i m calling LoginServelt from login.jsp and it’s working fine..
    in LoginServlet.java
    WebAuthentication webAuthentication = new WebAuthentication();
    if(webAuthentication.login(user, pass))
    System.out.println(”In Web Authentication “);

    System.out.println(”redirectUrl : “+redirectUrl);
    String referer = req.getHeader(”Referer”);


    This is working fine if i login from login link on Portal home page..but, in my real scenario i ve to login it from outside..so i m running one simple html throgh apache
    http://localhost/scripts/login.html..in this login.html i m calling LoginServlet of Portal..

    it is doing Authentication but not doing authorization…and so if do do re-login..it works…
    Am i missing something, please help me..
    thanx in advance

  22. Richard Says:

    Fantastic tutorial m8. Thanks a million. This one really saved my day. 🙂

  23. Kashi Says:

    Hi Jigna,
    instead of sendredirect()
    plz use a dispathcer .

  24. twistedmind Says:


    I’ve found the maven depencency for JBoss 5.0.0. Do be able to import the WebAuthentication add the following maven depencency to your pom:


    After that you can import the class:

    import org.jboss.web.tomcat.security.login.WebAuthentication;

  25. anu Says:

    thanks for the nice article…

  26. mgibson77 Says:

    I’ve been trying to do JAAS form based authentication on jboss but its failing all the time…
    please take a look at my posting, it has not been answered since I post it on the jobss community forum.


  27. Decaffeination – the "Software-Development-With-Humour" blog of Konstantin Spirov » Blog Archive » Mission Possible: Generic JEE Inegration Between JOSSO 1.8.1 Agent, Seam 2.2.0 and JBoss 5.1.0.GA Says:

    […] between JBoss 4 and JBoss 5 (if you want to fight this problem, good luck: you can start from here and here. Please share the results if you […]

  28. Dominique Says:

    Dear roniev,

    You just saved me lots of effort with you post.
    I really thank you.

  29. xearo Says:

    hey man, you totally saved the day! thank you so much, you rock!

  30. Jean Says:

    Did you try it in JBoss 7?

  31. Charlie Says:

    Can anyone point me in direction for finding reference to configure jboss seam project to use oracle access manager for authentication and authorizaion?

  32. dev_work_sv@hotmail.com Says:

    Is there an update in place for JBoss 5.1.0??

Leave a Reply to Rami Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: