Tomcat and Jaas authentication servlet in a form-based security constraint

Question

I have a security constraint that covers some pages in my web application. The authentication is made with JAAS and form, and it works fine. (I've successfully implemented my LoginModule).

However I need an alternate authentication via servlet.

That's the code of the servlet:

try {
    TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(properties,token);

    LoginContext lc = new LoginContext("myApp", tokenCallbackHandler);
    lc.login();
} catch (LoginException e) {
    e.printStackTrace();
}

Debugging the code I saw that the initialize, login and commit were called without error. The servlet returns an html page with a js that redirect to a protected resource:

function doRedirect() {
    location.href = "/protectedPath/ProtectedResource.html";
}
window.setTimeout("doRedirect()", 1);

But when the browser tried to get the protected page the app server returns to the login page.

What I am missing? It is possible that with the js redirect I'm losing the session cookie? Or, is it possible that the problem is that i'm trying to access (through a redirect) to a protected resource from a unprotected resource?

-- EDIT ---

I've taken a look at the cookies: when I login with the servlet it returns a session cookie and when I try to get a protected resource I can see the browser passing that session cookie to the server, but it seems that it got refused, in fact it respond with another session cookie, going to the login form page

-- EDIT ---

Solved in another way.

After some investigation on tomcat authentication mechanism I realized that what I was trying to do was something wrong.

Having defined a security constraint and a form login config to protect my resources I have tell tomcat to manage authentication in its way. So as long as I didn't pass through tomcat authentication workflow I can't authenticate anything. Also I discovered that it's not possible to configure different login-configuration in the same web application, so having defined form authentication prevents me to authenticate in others way. Probably what I will need is a custom implementations of the class BaseAuthenticator (base class for FormAuthenticator, BasicAuthenticator, etc, containing the code for the respective login configuration) but I'm not sure that it could be a good idea, maybe a security filter will be a better solution.

Knowing anything about security filters in tomcat, I temporarily managed to solve my problem simulating a form authentication in my servlet (really awful, I know).

Answer 1

If you want to do serious work with authentication and authorization management, you should considere using a well established framework such as Apache Shiro or Spring Security . The latter at least allows for concurrent authentication schemas (basic http and login form as a default but many others possible)