The authenticate, login, logout, getRemoteUser, isUserInRole and getAuthType servlet security methods are methods of the javax.servlet.http.HttpServletRequest interface.
The authenticate method authenticates a user by using the WebSphere Application Server container login mechanism configured for the servlet context.
boolean authenticate(HttpServletResponse response))
The authenticate method returns true when authentication has been established or authentication is successful.
The authenticate method returns false if authentication is incomplete and the underlying login mechanism has committed, in the response, the message and HTTP status code to be returned to the user.
A java.io.IOException occurs if an error occurs while writing the response.
A ServletException occurs if the authentication failed, and the caller is responsible for handling the error (for example, the underlying login mechanism did not establish the message and the HTTP status code to be returned to the user).
Boolean authResultTrue = req.authenticate(response);
if (!authResultTrue) {
return;
} else {
// Use the new invocation subject to call other services.
}
The login method authenticates a user to the WebSphere Application Server with a user ID and password. If authentication is successful, it creates a user subject on the thread and Lightweight Third Party Authentication (LTPA) cookies (if single sign-on (SSO) is enabled).
login(java.lang.String username, java.lang.String password)
A ServletException occurs if the configured login mechanism does not support username and password authentication, if an identity had already been authenticated (prior to the call to login), or if validation of the provided username and password fails.
For more information about modifying security custom properties, read the Modifying an existing custom property in a global security configuration or in a security domain configuration article.
Since the authenticate and login methods set the invocation subject to the new subject, the RunAs defined by the run-As attribute in deployment descriptor, security annotation or dynamic annotation is ignored.
gotchaAfter logging out, access to a protected web resource requires re-authentication and the getUserPrincipal, getRemoteUser and getAuthType methods return null.
logout()
A ServletException occurs if the logout fails.
Audit event types for the authenticate, login and logout methods
To audit authenticate, login and logout methods, you must create or extend some audit event type files. These event type are not part of the default event type files.
Method | Audit event name | Audit outcome of the event |
---|---|---|
authenticate/login | SECURITY_AUTHN | SUCCESS and or FAILURE |
logout | SECURITY_AUTHN_TERMINATE | SUCCESS |
logout | SECURITY_AUTHN_TERMINATE | FAILURE |
(String role name): Returns true if the remote user is granted the specified security role. If the remote user is not granted the specified role, or if no user is authenticated, it returns false.
The getRemoteUser method returns the login of the user that makes the request if the user has been authenticated. If the user has not been authenticated, the getRemoteUser method returns null.
The getAuthType method returns the name of the authentication scheme that is used to protect the servlet. If the servlet is not protected, the getAuthType method returns null.