I'm playing with OpenID authentication in my app for the first time.
I can successfully authenticate user against choosen provider, but I don't know how to correctly login user on a Java EE server, so that it looks like user was logged in with e.g. form-based login. I could use Servlet 3.0 login
but it takes username/password pair and I don't have passwords when using OpenID.
I'd like to be able to get a Principal
object and use isUserInRole
method etc. Am I missing something? I'm running this app on JBoss 7.1, but I suppose there should be a common way to do that. Or maybe I'm missing something and all that stuff with Principal
and user roles is done differently when using OpenID?
There indeed is. You need to create a so-called JASPIC authentication module. There already is one available for OpenID, see:
That's correct. You therefor need to call the Servlet 3.0 authenticate method instead. Because
login
is strongly tied to username/password it will even throw an exception in Java EE 7 when you have defined your own auth module! (in Java EE 6 it's undefined what happens, but it typically just doesn't work).For some more examples of how to create OpenID-like auth modules in Java EE, see my own project OmniSecurity and an actual application making using of an earlier version of that project. (unfortunately the code is a bit difficult to follow since it needed an extremely complex and convoluted workaround to get CDI to work with a JASPIC SAM, but hopefully it still allows you to see the general pattern)