Welcome.

     Friday, July 02, 2004     Communicating back from a JAAS LoginModule

Along the lines of things that are simple and you never realized...

I was trying to figure out how a JAAS LoginModule could communicate back to a JSP login page that was named in a login-config. I wanted to be able to let a user know when a specific login was disabled and they would need to contact a system admin.

It's obvious enough if you are doing the login programatically, you can catch an exception from the login and use that. But it wasn't obvious to me how it would work when logging in through j_security_check. There are various ways you could do it with posting first to another page, then forwarding back around to the login, or using an unsecured filter or an AuthFilter
in WebLogic.

Well, surprisingly to me, it's just as easy as the programatic way. Just throw a LoginException in your LoginModule when you detect the condition:


throw new javax.security.auth.login.FailedLoginException("User is disabled");


and in your jsp that is your form-error-page:


<%@ page isErrorPage="true" %>
...
<%
if (exception != null) {
out.println( exception.getMessage() );
}
%>


And it's as easy as that. If you're running this in WebLogic, you'll also need to make sure that your LoginModule is the first, or you'll just get an exception from the default LoginModule.