0

I have a legacy webapp that currently authenticates users in a servlet. That is, it calls LoginContext.login() from a servlet.

As part of my upgrades, I'd like to add new web pages that use declarative authentication through the web.xml file. And I want the old web pages to continue using the servlet authentication. Eventually, I'll redo the old web pages to use the new authentication.

However, the new pages don't inherit the authentication done from the servlet. They come up as unauthenticated, without a userPrincipal in the request.

With the existing servlet, I end up with a Subject. Is there any way I can call something so that OC4J will set the user principal from the Subject's one principal?

Gary Kephart
  • 4,540
  • 5
  • 38
  • 50
  • I'm trying different stuff here. On one of the old pages, I changed the menu bar to point to one of the new pages. I added JSESSIONID to the url hoping that the existing session would be used. However, it looks like a new session is being created. So, as an example, on /jobs.app the menu bar has a link to /secure/spsas.jsp?JSESSIONID=... No luck. – Gary Kephart Feb 07 '13 at 02:08
  • The old pages are under Spring MVC control while the new pages are under Struts control, if that makes a difference. Nevermind why the difference. – Gary Kephart Feb 07 '13 at 02:12
  • Even more info. The old stuff is at the top level of the context (like /myapp/jobs.app) and the new stuff is one level down (like /myapp/secure/spsas.jsp). I want the new stuff to be secured by what's in web.xml instead of using LoginContext. – Gary Kephart Feb 07 '13 at 02:28

1 Answers1

0

Found it:

  // http://docs.oracle.com/html/E13977_01/authoriz.htm#BABHJJCJ
  // oc4jclient.jar, oc4j-unsupported-api.jar
  oracle.oc4j.security.Security.setSubject(subject, Longevity.SESSION);
Gary Kephart
  • 4,540
  • 5
  • 38
  • 50