Get HttpSession/Request in a JAAS Login Module

Question

I\'m trying to obtain the HttpSession or Request in my Login Module. I already tried JACC, but it didn\'t work.

I need this because I have to put a captcha in a logi

Answer 1

I do exactly that in my applications running on JBoss AS.

Here's what I do to access the HttpServletRequest from within the login module:

HttpServletRequest request = (HttpServletRequest) PolicyContext.getContext(HttpServletRequest.class.getName());

Then I get the session, extract the captcha and validate it against the request parameter from the screen. After I authenticate the user, I remove the captcha parameter from the session. This works fine for me.

Note that the login module can also be activated by EJB calls after the user is already authenticated. In that case, the captcha parameter won't be in the session, of course. So you should check it.