Re: [jetty-users] 3'rd party Autentication

[larry mccay <larry.mccay@xxxxxxxxx>]

Your 3rd party authentication provider should have a prescribed way of doing this already.

In fact, you shouldn't really have to require the user to click on a link to go back.

At any rate, you need to be extremely careful about blindly accepting url parameters of an incoming request.

You will need to ensure that the request is indeed coming from your 3rd party authentication provider and not some arbitrary client that just sets the magic parameters - like you could easily do from a browser or curl.

If you can be sure (and programmatically verify) that the request has come from a trusted client then you can create a servlet filter or JASPIC authmodule to consume the parameters, create a Subject with the appropriate principals and assert the identity with a Subject.doAs.

The JASPIC authmodule is the EE recommended approach to doing this because you just communicate the primary principal and any group principals back to the container and it does the identity assertion.

On Fri, Dec 13, 2013 at 9:11 AM, Kjell Tillstrand <kjell@xxxxxxxxxxxxxxxxxxxxx> wrote:

Hi, 

I've got a case where we are using a 3´rd party authentication provider. Basically we send our customers to this 3´rd party witch authenticates the user and gets the user to click a return link back to our servlet. 

With the parameters we have set in the session and the return links parameters we can confirm the identity of our customer. 

To the question. 

I there a way to create a Principal object for this customer and let him be logged in as if had used basic authentication?

  

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users