Ajax and ZK Based Login with JAAS on JBoss

From Documentation
DocumentationSmall Talks2010FebruaryAjax and ZK Based Login with JAAS on JBoss
Ajax and ZK Based Login with JAAS on JBoss

February 19, 2010
ZK 5.0.0 CE


The talk shows how to use ZK to implement AJAX login for JAAS on JBoss 5.x I have just slightly modified the project from my previous talk Form Based Login with JAAS on JBoss and ZK, and I will describe just differences to this previous talk here.

A user is authenticated byorg.jboss.web.tomcat.security.login.WebAuthentication class[1][2]. It has the following advantages comparing to the form based login:

  • Real AJAX login, the browser stays on the same page, no redirection.
  • Not need to use j_security_check form.
  • Finer control over the login process - you can execute any code before and after login (e.g. "remember me" function).

And disadvantages:

  • The WebAuthentication.login() method just returns false, when the authentication fails, it is not possible to see the reason why it has failed (DB connection problem, etc.).

I do logout by invalidating the session and reloading the current page. I do not know, if WebAuthentication class can be used to logout (re-login a different user). I consider the invalidating the session as the safest way of logout.


The configuration of JAAS and DB is the same as in the previous talk. I have just added jboss.xml file to the META-INF directory of the EJB module, just to see where the name of the unauthenticated user comes from:


Surprisingly, when no one is authenticated, then the javax.servlet.http.HttpServletRequest.getUserPrincipal() is null, however when any EJB is called, then javax.ejb.EJBContext.getCallerPrincipal().getUserName() equals to anonymous.

Ajax ZK Login Form

The JAAS login can be performed by just two lines of code:

org.jboss.web.tomcat.security.login.WebAuthentication webAuthentication = new org.jboss.web.tomcat.security.login.WebAuthentication();
if (webAuthentication.login(username, password)) {
// login successful
} else { 
// login failed

The event processing thread must be disabled, see Form Based Login with JAAS on JBoss and ZK.

And that's all. In the example bellow, the both actions, login and logout, are coded in one page index.zul. The login is truly AJAX based, the page in the browser stays the same. However, the logout invalidates the session and reloads the page index.zul.

You can make same tricks as in the previous talk Form Based Login with JAAS on JBoss and ZK.


The example (download bellow) uses the data source java:/DefaultDS which should be the HSQL database. Also, the hibernate.hbm2ddl.auto is set to create-drop, so the database tables are dropped and created during the deployment. Beware! It may destroy your data! Do not use it, if your java:/DefaultDS points to a DB with any precious data! The example has been tested with JBoss 5.1.0GA and ZK5.0.0 CE. I have also removed some ZK libraries not required for this demo, so you get a few warnings during deployment.

You can login as demo:demo, or admin:admin. After the login, you can follow links to the page /admin.zul. Every user is allowed to access this page, but for non-admin users it throws an error, because it uses the secured session bean method UserDao.getAllUsers(). The page /admin/admin.zul is exactly the same, but the access to it is restricted in web.xml only for admin users.


The JBoss's WebAuthentication class allows you to make very flexible JAAS login. You can even login by an AJAX request.



See Also


Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.