Get HttpSession/Request in a JAAS Login Module

2019-02-18 06:04发布

问题:

I'm trying to obtain the HttpSession or Request in my Login Module. I already tried JACC, but it didn't work.

I need this because I have to put a captcha in a login window. Maybe some JAAS ninja knows a better way to do that. I'm using kaptcha to do that.

thanks in advance.

回答1:

I do exactly that in my applications running on JBoss AS.

Here's what I do to access the HttpServletRequest from within the login module:

HttpServletRequest request = (HttpServletRequest) PolicyContext.getContext(HttpServletRequest.class.getName());

Then I get the session, extract the captcha and validate it against the request parameter from the screen. After I authenticate the user, I remove the captcha parameter from the session. This works fine for me.

Note that the login module can also be activated by EJB calls after the user is already authenticated. In that case, the captcha parameter won't be in the session, of course. So you should check it.