Verify user credentials without logging in with Java's JAAS security

Question

I am developing a JSF 2 application running under JBOSS Wildfly, which utilizes Java's JAAS security mechanism.

Everything works as expected and I can login using the request.login(username, password) mechanism.

I also have a requirement to authorize a device (which I have implemented using cookies) as part of the login processs. The process I am trying to implement is as follows;

1. Validate username and password (but not log them in)
2. Check device authorization and redirect to the authorization process pages if not already authorized).
3. Login (if authorization is successful)

I don't want to log the user in unless they are authorized, and I don't want to go through the authorization process unless the username and password is correct.

So I need to verify the credentials are correct without actually logging the user in. I can do this manually via a database query, but I was wondering if there is a way to do this via JAAS.

Any ideas? Rich

Answer 1

There is no standard way to check credentials in JAAS/JEE. However you might log in and immediately log out user:

HttpServletRequest request = (HttpServletRequest) FacesContext
        .getCurrentInstance().getExternalContext().getRequest();
try {
    request.login(name, password);
    request.logout();
    isValid = true;
} catch (ServletException e) {
    isValid = false;
}

ServletException means that user is not valid (or other error occurred).

You can also use internal JBoss class org.jboss.security.AuthenticationManager and its isValid(..) method. See example. But this binds you to JBoss AS/Wildfly.