Hi, for our project we have this use-case. The user needs to execute some action and he has unsuccessful rights. In this case he can call for supervisor to authenticate in special window and allow this action to execute in “runAs” mode.
The question is if we can somehow reuse the authentication we already have, I’m thinking about some iframe with login screen in it. Do you think it is feasible or do we need to write own logic to authenticate and mainly authorize the supervisor?
I’m not sure if you can re-authenticate an active session via JAAS .
You might need a Custom LoginModule to ensure you ovewrite the active session’s Subject (ie security Principal + Groups ) …
You can try to call HttpRequest.login(username , password ) , but I’m not sure this will work as you intend.
if JAAS re-authentication does not work. you could always add some costomized authorization checks and simply store something in you session from the supervisor authentication screen.
Thanks for answer, thing is I don’t need to re-authenticate the current session(after this step the logged in user will continue with his session) for me it will be enough to call somehow the login and hopefully I will get the authentication status and the assigned roles as well.
The problem we faced before was that we were unable to get list of roles assigned to the user(we are using jBoss). Till now we are not using such a fine-grained role security. If there will be more supervisors roles I’m not sure how I will do it. How to find out against which role to check.
Seems it will be really specific use case, will try to inform about any success.