[jboss-user] [Beginner's Corner] - Evading Authentication

Satish Kinikiri do-not-reply at jboss.com
Tue Jan 10 01:18:44 EST 2012 

Satish Kinikiri [http://community.jboss.org/people/satish.kinikiri] created the discussion

"Evading Authentication"

To view the discussion, visit: http://community.jboss.org/message/645578#645578

--------------------------------------------------------------
Hi

I am trying to introduce single-sign-on (SSO) for our application.
Currently our application has a custom login module. I want to retain it the same authenication process when user is logging in directly with username/password (through non-SSO).

And want to add authenication system to when the user tried to login into my app using application through some API.
(Through SSO user name is availalble but not password I will make use of the username to create roles)
Current authenication process :

LoginClient loginClient = new LoginClient(loginName, loginPassword, true /* server login */);
AppIQUserData user = loginClient.login();
......
......

and Login client is

public LoginClient(String username, String password, boolean serverLogin)
        throws LoginException
    {
        this(new UsernamePasswordHandler(username, password), serverLogin);
    }

 public LoginClient (CallbackHandler handler, boolean serverLogin) throws LoginException
    {
        this(handler, serverLogin ? SecurityConstants.SECURITY_DOMAIN : SecurityConstants.CLIENT_DOMAIN, serverLogin);
    }


    public LoginClient (CallbackHandler handler, String securityDomain, boolean serverLogin) throws LoginException
    {
        log.trace2("login security domain: " + securityDomain);
        this.serverLogin = serverLogin;
        context = new LoginContext(securityDomain, handler);
    }

 /**
     * Perform a login to the AppIQ system.
     * @return The AppIQUserData that has been authenticated
     * @throws LoginException if the login fails
     */
    public synchronized AppIQUserData login() throws LoginException
    {
        log.trace2("login - " + (serverLogin ? "SERVER" : "CLIENT"));

        context.login();


        if (!serverLogin)
            return null;

        Subject subject = context.getSubject();
        if (subject == null)
            throw new LoginException(LocalizationUtilities.localize("Exceptions", "LoginFailedNoSubject"));
        log.trace2("login SERVER returns subject: " + subject.toString());


        AppIQUserData user = SecurityMethods.getCallerPrincipal(subject);
        if (user == null)
            throw new LoginException(LocalizationUtilities.localize("Exceptions", "UnableToExtractAppIQUserData"));


        /* Stash the context in a cache so that we can re-authenticate when we
                     * need to in order to force updates to login credentials when
                     * necessary. 
                     */
                    SecurityMethods.add(context);


        return user;

    }


Any idea how we can have the option of avoiding authenication when we are using UsernamePasswordHandler.




Thanks
 mailto:Satish.kinikiri at gmail.com Satish.kinikiri at gmail.com
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/645578#645578]

Start a new discussion in Beginner's Corner at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20120110/dbab307d/attachment.html

More information about the jboss-user mailing list