Migrate Oracle WebLogic Server Programmatic Login to Red Hat JBoss Enterprise Application Platform 6 or 7

Updated -

Summary

Oracle WebLogic Server provides a proprietary ServletAuthentication class to perform programmatic login. In Red Hat JBoss Enterprise Application Platform 6 and 7, you can use the standard Java EE Servlet 3.0 HttpServletRequest.login() method or you can define a <security-constraint> element in the web.xml file. You must also replace code that uses the Oracle WebLogic Server proprietary ServletAuthentication class. This article describes how to replace the Oracle WebLogic Server programmatic login code.

  1. Configure a Servlet or Define Security Constraints in the web.xml File
  2. Replace the WebLogic ServletAuthentication Code

Configure a Servlet or Implement Security Constraints in the web.xml File

To enable programmatic login in JBoss EAP, you must do one of the following.

Modify the Authentication Servlet

Add the following annotations to the servlet class that does the authentication.

// Imports for annotations
import javax.annotation.security.DeclareRoles;
import javax.servlet.annotation.WebServlet;
import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.ServletSecurity;

@WebServlet("/securedUrlPattern")
@ServletSecurity(@HttpConstraint(rolesAllowed = { "myRole" }))
@DeclareRoles("myRole")
public class SecuredServlet extends HttpServlet {
    //Rest of code
}

Modify the web.xml File

If you prefer not to use the standard servlet, you can instead add a <security-constraint> element containing a dummy URL pattern to the web.xml file. This notifies JBoss EAP to create a default Authenticator. Failure to create a <security-constraint> element in the web.xml file may result in the error message "No authenticator available for programmatic login".

The following is an example of a web.xml file with a <security-constraint> element:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ApplicationRealm</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
        <url-pattern>/dummy/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>myRole</role-name>
    </auth-constraint>
</security-constraint>

Replace the WebLogic ServletAuthentication Code

If the application uses the WebLogic proprietary ServletAuthentication class for programmatic login, you must replace it with the standard HttpServletRequest login as follows:

String userName = request.getParameter( "username" );
String password = request.getParameter( "password" );
try {
    request.login(userName, password);
} catch(ServletException ex) {
    // handle the error
    response.getWriter().println( "Failed to log in " + username + " with the given password<br/>" );
    response.getWriter().println( "<form name=\"FailedLogin\" method=\"post\">" );
    response.getWriter().println( "<br/>" );
    response.getWriter().println( "<input name=\"FailedLogin\" type=\"submit\" value=\"Return\" />" );
    response.getWriter().println( "</form>" );
    return;
}