[jboss-user] [Security & JAAS/JBoss] - Cannot access username/password in custom login module

camueller do-not-reply at jboss.com
Thu Aug 24 10:56:09 EDT 2006 

Hi,

I've written a custom login module using individual implementations for Principal/Group. Logins to the web container are propagated properly to the EJB container. However logins of remote EJB clients fail since username/password provided by the callbackhandler are null:


  |   public boolean login() throws LoginException {
  | 
  |     try {
  |       log.info("login() called");
  | 
  |       // Get user name and password from request
  |       log.info("Going to the build the name and password call back");
  |       this.callbacks = new Callback[2];
  |       this.callbacks[0] = new NameCallback("Username");
  |       this.callbacks[1] = new PasswordCallback("Password", false);
  | 
  |       log.info("Trying to execute the callbacks using the call back handler");
  |       this.callbackhandler.handle(this.callbacks);
  | 

The login performed by the remote EJB client looks like this:


  | 		  Properties props = new Properties();
  |       props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
  |       props.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.naming.client");
  |       props.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099");
  |       props.setProperty(Context.SECURITY_PROTOCOL, "pve");
  |       props.setProperty("j2ee.clientName", "PCA_CLI"); // must match display-name in application-client.xml
  | 
  |       props.put(Context.SECURITY_PRINCIPAL, "admin");
  |       props.put(Context.SECURITY_CREDENTIALS, "pca");
  |       this.context = new InitialContext(props);
  |       Object objref = context.lookup(jndiName);
  | 

The security-domain in jboss.xml is set to "pve":


  | <jboss>
  |   <security-domain>java:/jaas/pve</security-domain>
  |   [...]
  | 

The login-config.xml contains the following entries:


  | <policy>
  |     <!-- Used by clients within the application server VM such as
  |     mbeans and servlets that access EJBs.
  |     -->
  |     <application-policy name = "client-login">
  |        <authentication>
  |           <login-module code = "org.jboss.security.ClientLoginModule"
  |              flag = "required">
  |              <!-- Any existing security context will be restored on logout -->
  |              <module-option name="restore-login-identity">true</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  |     
  |     <application-policy name = "pve">
  |        <authentication>
  |           <login-module code = "com.wn.pve.security.jaas.PveLoginModule"
  |              flag = "required">
  |              <module-option name = "principalClass">com.wn.pve.platform.jbossjaas.PvePrincipal</module-option>
  |           </login-module>
  |           
  |           <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
  |        </authentication>
  |     </application-policy>
  | 
  |     <!-- Security domain for JBossMQ -->
  |     <application-policy name = "jbossmq">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">
  |              <module-option name = "unauthenticatedIdentity">guest</module-option>
  |              <module-option name = "dsJndiName">java:/DefaultDS</module-option>
  |              <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
  |              <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <!-- Security domains for testing new jca framework -->
  |     <application-policy name = "HsqlDbRealm">
  |        <authentication>
  |           <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
  |              flag = "required">
  |              <module-option name = "principal">sa</module-option>
  |              <module-option name = "userName">sa</module-option>
  |              <module-option name = "password"></module-option>
  |              <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <application-policy name = "JmsXARealm">
  |        <authentication>
  |           <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
  |              flag = "required">
  |              <module-option name = "principal">guest</module-option>
  |              <module-option name = "userName">guest</module-option>
  |              <module-option name = "password">guest</module-option>
  |              <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <!-- A template configuration for the jmx-console web application. This
  |       defaults to the UsersRolesLoginModule the same as other and should be
  |       changed to a stronger authentication mechanism as required.
  |     -->
  |     <application-policy name = "jmx-console">
  |        <authentication>
  |           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required">
  |            <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
  |            <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <!-- A template configuration for the web-console web application. This
  |       defaults to the UsersRolesLoginModule the same as other and should be
  |       changed to a stronger authentication mechanism as required.
  |     -->
  |     <application-policy name = "$webConsoleDomain">
  |        <authentication>
  |           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required">
  |              <module-option name="usersProperties">web-console-users.properties</module-option>
  |              <module-option name="rolesProperties">web-console-roles.properties</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 
  |     <!-- A template configuration for the JBossWS web application (and transport layer!).
  |       This defaults to the UsersRolesLoginModule the same as other and should be
  |       changed to a stronger authentication mechanism as required.
  |     -->
  |     <application-policy name="JBossWS">
  |       <authentication>
  |         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  |           flag="required">
  |           <module-option name="usersProperties">props/jbossws-users.properties</module-option>
  |           <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
  |           <module-option name="unauthenticatedIdentity">anonymous</module-option>
  |         </login-module>
  |       </authentication>
  |     </application-policy>
  | 
  | </policy>
  | 


Anything I might try?

Axel

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967248#3967248

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3967248

More information about the jboss-user mailing list