Writing a Custom JAAS Login Module
I wrote a custom login module that integrates with Netegrity Siteminder authentication API
I want the login module to reads the user credential from the request header instead of getting
the user credential from the default login page.
I replace the default login module and added the necessary source to a plugin jar file as instructed
<!-- <login-module /> -->
<login-module />
I expect when I attempt to access the Teamcity server URL the login page would not popup but the
login module would read the request header instead. Unfortunately the login screen is display every time
and only after hitting the submit button does the SiteminderLoginModule module gets called.
My question is how can the login page be bypassed and all authentication occur from the SiteminderLoginModule?
If I type the following URL http://localhost:8081/TeamCity/ it always redirects to http://localhost:8081/TeamCity/login.html
which causes the login.jsp to be loaded. I need to bypass the login page and have the controller read the user Subject
created in the SiteminderLoginModule and redirect the user to the project page.
How can the login page be bypassed? Can a custom controller be written to read the user credential from the Subject created
in the login module? What is the best approach to resolve this issue?
Please sign in to leave a comment.
Paul,
This is not directlry possible, but there is a workaround.
This is not the first time we've been aproached with the question so I created the feature request on this and tried to describe the workaround in the comment to the issue.
Feel free to ask questions on the approach.
BTW, did you consider sharing your plugin with other users who might benefit from the integration with Netegrity Siteminder?
If you can make the plugin publicly available we will include a link to it in our plugins list.
Yegor I will share it with the forum although it only works on JBoss. JBoss is the only application server that provides an API that allows you to retrieve the HttpServletRequest object
from within a LoginModule. If you or anyone at JetBrains know of a cleaner way to retrieve the request object then please share that knowledge with me.
Paul,
Actually the plugin I attached to the issue gets HttpServletRequest in CustomLoginController.java
The entire thing is non-trivial and requires modification of login.jsp in TeamCity, but to improve it is the point of the isseu.
Yegor, I know you are getting the HttpServletRequest object in the CustomLoginController I need the HttpServletRequest
in the CustomLoginModule. Most LoginModules assumes user credential is retreived from a login in dialog or screen. In the case
of Siteminder the authentication is done by the time it redirects the request to the Teamcity application and the user credential is
in the request header so there is no need to show the login screen (dialog) since the authentication is already done.
My SiteminderLoginModule done get the user credential from the request header and populate the ServerPrinciple the problem is the
SiteminderLoginModule get called after the submit button is pressed on the login dialog screen. Ideally I don't want to show the login
screen at all I just need to call the controller that gets call when the submit button is pressed. Currently when the login screen pops up
I don't need to enter a username and password. All I do is hit the submit button and the SiteminderLoginModule takes care of the rest.
I suspect that I just need to modify login.jsp to do a submit on load but there is no <body> tag to add the some javascript code to the effect
onload="document.loginForm.submit();" which would give the effect of login without showing the login dialog.
In the SiteminderLoginModule the only way to get the HttpServletRequest object is to add the JBoss specific code snippet:
HttpServletRequest request = null;
try {
request = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
}
catch (PolicyContextException e) {
e.printStackTrace();
}
PolicyContext and PolicyContextException are JBoss specific classes and this is not a clean solution unless you are deploying Teamcity to
JBoss as my company is doing. While this isn't an issue for me JetBrains should find a clean way to make the HttpServletRequest object available to the
LoginModule so that the plugin would work on any application server that Teamcity can be deployed to.