I have a three-part question related to JBoss 5 Authentication (in the Web/EJB containers):
Is there a way to propogate an identity other than the username that was specified during login? For example, using the DatabaseServerLoginModule, I want to authenticate the user with a username/password but return the user's id, and not username, when ejbContext.getCallerPrincipal() or httpRequest.getUserPrincipal() is called.
Even better, I want to make a custom login module which returns a User object (probably an entity which was loaded from the database). However, even if I wrap that User object up nicely in a Principal subclass in my login module, the EJB-layer never gets that object. Instead, the EJB-layer always gets a SimplePrincipal when getCallerPrincipal is called.
I want to be able to trigger a login programmatically, as described in WebAuthentication. However, I need to do this witho开发者_C百科ut knowing the password. Imagine a customer service interface where a customer service agent can login to the application as an end-user. They would click a "login-as" button and we should be able to programmatically log them in as a user, without ever knowing the user's password (the customer service agent is already authenticated himself). You could also have this same scenario with "forgot password" which uses an alternate login mechanism to authenticate the user and then programatically logs them in.
Thanks!
1) Not that familiar with the DatabaseServerLoginModule but shouldn't the user's id also be their username? Usernames should be unique at least?
(Well after reading the rest of your question maybe this is not helpful...)
Answering my own question from two years ago: since the time I wrote this question, we've switched over to Spring Security and found it to be much more flexible than what's available in JBoss alone. My recommendation to anyone looking for a real solution to this problem is to give up on the container-provided authentication and take a good look at Spring Security.
精彩评论