Existing JAAS Form Login, moving to spring security

[lenovo123]

Hi All,

We have a web application that using JAAS via form Login. A login page is presented and the user enters username/password and the authentication is done in our case by websphere.

We are now removing a home grown authentication mechanism to use spring security but I wish to keep our existing JAAS setup.

I only seem to have in my web.xml

Code:

 <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>My Realm</realm-name>
    <form-login-config>
      <form-login-page>
        /jaas/login.do
      </form-login-page>
      <form-error-page>
        /jaas/failed.do
      </form-error-page>
    </form-login-config>
  </login-config>

jsp :

Code:

 <form action="j_security_check" method="post">

I have the spring security book and cannot seem to find an example of where to hook in with JAAS. I see the documentation on :
http://static.springsource.org/sprin...ence/jaas.html but not exactly sure what i need to fill in for ;/WEB-INF/login.conf etc.

Am I missing some obvious piece of documentation or is my approach correct?

Appreciate any feedback.

[Rob Winch]

We have a web application that using JAAS via form Login. A login page is presented and the user enters username/password and the authentication is done in our case by websphere.

The JAAS authentication provided in Spring Security 3.0.x will only work when you are using ConfigFile JAAS configuration which does not occur by default on an IBM JDK. Spring Security 3.1.x allows any implementation of JAAS Configuration to be used and provides a basic DI implementation. See the reference for more details on this. Note that 3.1.x is not production release yet, but you can always fork that chunk of code until 3.1 is released.

We are now removing a home grown authentication mechanism to use spring security but I wish to keep our existing JAAS setup.

I only seem to have in my web.xml
...

You seem to be missing quite a few things (i.e. the springSecurityFilterChain, ContextLoaderListener, Spring Config, etc) for Spring Security to work. See the reference for more information.

I have the spring security book and cannot seem to find an example of where to hook in with JAAS. I see the documentation on :
http://static.springsource.org/sprin...ence/jaas.html but not exactly sure what i need to fill in for ;/WEB-INF/login.conf etc.

The login.conf is the syntax for a standard login configuration file as described in the Configuration class. Spring Security 3.1.x provides a sample that uses JAAS.

[lenovo123]

Thanks for your reply.

We actually took a decision to remove this complexity within our Authorisation layer and just use the supported ldap look ups. Worked so quick and now integrates alot better with our authorsation data stored in our databases.

Thank you.

The JAAS authentication provided in Spring Security 3.0.x will only work when you are using ConfigFile JAAS configuration which does not occur by default on an IBM JDK. Spring Security 3.1.x allows any implementation of JAAS Configuration to be used and provides a basic DI implementation. See the reference for more details on this. Note that 3.1.x is not production release yet, but you can always fork that chunk of code until 3.1 is released.

We are now removing a home grown authentication mechanism to use spring security but I wish to keep our existing JAAS setup.



You seem to be missing quite a few things (i.e. the springSecurityFilterChain, ContextLoaderListener, Spring Config, etc) for Spring Security to work. See the reference for more information.



The login.conf is the syntax for a standard login configuration file as described in the Configuration class. Spring Security 3.1.x provides a sample that uses JAAS.