4.1. Introduction to authentication and authorization

4.1.1. Login modules
4.1.2. Different authentication workflows
4.1.3. Authorization

Authentication in GateIn Portal is based on JAAS and by default it is standard J2EE FORM-based authentication. However, the authentication workflow is not so easy and straightforward, because GateIn Portal supports many different authentication usecases, so that you can leverage authentication process according to your needs.

In GateIn Portal, the following types of authentication are supported:

First, in the $PLATFORM_JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/web.xml file, you will see that authentication can be triggered by accessing the secured URL /dologin:


<security-constraint>
  <web-resource-collection>
    <web-resource-name>user authentication</web-resource-name>
      <url-pattern>/dologin</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>users</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </web-resource-collection>
</security-constraint>

This means that the access to URL like http://localhost:8080/portal/dologin will directly trigger the J2EE authentication in case the user is not logged. The access to URL also means that the user needs to be in the JAAS group users, otherwise he/she can authenticate but will have the HTTP error, such as 403 Forbidden.

In next part of the file, you can see that authentication is FORM-based and it starts by redirection to /login URL, which is actually mapped to LoginServlet.


<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>gatein-domain</realm-name>
  <form-login-config>
    <form-login-page>/login</form-login-page>
    <form-error-page>/login</form-error-page>
  </form-login-config>
</login-config>

LoginServlet simply redirects the user to the login page placed in gatein/gatein.ear/portal.war/login/jsp/login.jsp.

So if you want to change somehow the look and feel of this login page, you can do it in this JSP file. Alternatively, you can create extension and override this page via extension if you do not want to edit it directly. You can also change/override image or CSS placed in gatein/gatein.ear/login/skin.

After the user has submitted his login form, he/she will be redirected to the login URL, which looks like [http://localhost:8080/portal/login?username=root&password=gtn&initialURI=/portal/classic, which is again mapped to LoginServlet. Now LoginServlet will trigger the WCI login, which delegates to Servlet API (method HttpServletRequest.login(String username, String password) available in Servlet 3.0). Additionally, it triggers the WCI Authentication listeners. The login through Servlet API will delegate to JAAS.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus