Authenticate credentials with LDAP for specific requests

Question

I have a web application that I deploy using JBoss 5.2. In order for a user to use the application, he/she must authenticate with an LDAP server (using simple authentication) with a username and password. This is all done through setting up the login-config.xml for JBoss and providing a <login-module> with our implementation.

The problem comes in here: After having logged in, I have a scenario that requires the user to provide a username & password when a particular action is performed (which I will also authenticate with the LDAP server). I want to be able to reuse the same mechanism that I use for authenticating the user into the web application.

My form to log in to the application posts to j_security_check so in accordance with this, I was trying to send a request to j_security_check but JBOSS returns a 404. From reading around a bit, I've gathered j_security_check cannot be accessed by any arbitrary request and must be in response to a challenged request to a secured resource.

So then, how can I authenticate the second set of credentials the user has provided with the same LDAP server?

EDIT:

To clarify, the question is how to send the user's credential inputs to the LDAP server for authentication. Grabbing the input from the user, etc. is all done. All that is left is to take this input and send it to the LDAP server and get the response (which is where I am stuck).

If it helps to mention, the login to the web application uses a custom class that extends UsernamePasswordLoginModule.

Answer 1

So, after lots of research, I ended up finding a solution for JBoss environments (which is what I'm using).

Once you capture the user's credentials, you send them to your server via a POST/GET and your server can perform the following to use whatever authentication policy you have configured (in login-config.xml ) to verify the credentials:

WebAuthentication webAuthentication = new WebAuthentication();
boolean success = webAuthentication.login(username, password);

To expand on this, I was also able to check the user's role/group via the HttpServletRequest (which is passed into my server-side handler):

boolean userIsInRole = servletRequest.isUserInRole("nameOfGroup")

Answer 2

Spring Security文档对此进行了解释

Answer 3

Wanted to add another answer for JBoss 6.2+, where WebAuthentication no longer exists. I've used the creation of a LoginContext to achieve the same result:

String SECURITY_DOMAIN_NAME = "ssd"; // the security domain's name from standalone.xml

String username = "user";
String password = "password";

LoginContext lc = null;
try {
    lc = new LoginContext(SECURITY_DOMAIN_NAME, new UsernamePasswordHandler(username, password.toCharArray()));
    lc.login();
    // successful login
} catch (LoginException loginException) {
    // failed login
}

And the use uf lc.getSubject().getPrincipals() to verify roles.