[javaee-spec users] JASPIC doesn't support HttpServletRequest#login?

From: arjan tijms <>
Date: Tue, 29 Jan 2013 00:57:25 +0100


I'm playing around with JASPIC in various containers, and from experiments
it looks like JASPIC doesn't support the HttpServletRequest#login method. I
tried GlassFish, JBoss AS 7.1.3 (EAP 6.0.1) and WebLogic 12.1.1.

For GlassFish I tried both declarative configuration (as e.g. described
and programmatic configuration (as I described on my own blog here
For JBoss AS and WebLogic I only tried the programmatic option.

In all cases, the SAM is correctly called when a resource is accessed, but
it's NOT called whenever I call HttpServletRequest#login (e.g. from within
the doGet method of a simple Servlet). Instead, a default login module
(default realm) is called. This doesn't seem quite right. When a SAM is
configured and indeed called in some situations, but then a completely
different login module is called in another situation.

Upon inspection of the source code of both GlassFish and JBoss AS, it
doesn't seem there's any code present that even could delegate this call to

For instance, in GlassFish the HttpServletRequest#login call is to
org.apache.catalina.connector.RequestFacade#login, which directly calls
org.apache.catalina.connector.Request#login (see,
this will call through to
where "realm_name" will be the empty string.

From there a
call is
done (see

From here Realm.getDefaultRealm() returns "file", which a bit further down
the call chain is used to obtain an instance of, which is invoked via
a JAAS LoginContext, and throws an exception if the file realm can't
authenticate the user (and thus WILL authenticate the user when credentials
are used that are NOT accepted by the JASPIC SAM, but happen to be accepted
by the default realm, which could open a huge security hole).

In JBoss AS a simular thing happens. For JASPIC support the
valve needs to be
configured and this one is called following a call to
HttpServletRequest#login, but eventually the authenticate method in its
base class is called (see
which knows nothing about JASPIC and just delegates to a default realm

So, is it indeed true that JASPIC does not support HttpServletRequest#login
or am I perhaps completely missing something?

Kind regards,
Arjan Tijms