JBoss Community

Evading Authentication

created by Satish Kinikiri in Beginner's Corner - View the full discussion

Hi

 

I am trying to introduce single-sign-on (SSO) for our application.

Currently our application has a custom login module. I want to retain it the same authenication process when user is logging in directly with username/password (through non-SSO).

 

And want to add authenication system to when the user tried to login into my app using application through some API.

(Through SSO user name is availalble but not password I will make use of the username to create roles)

Current authenication process :

 

LoginClient loginClient = new LoginClient(loginName, loginPassword, true /* server login */);

AppIQUserData user = loginClient.login();

......

......

 

and Login client is

 

public LoginClient(String username, String password, boolean serverLogin)

        throws LoginException

    {

        this(new UsernamePasswordHandler(username, password), serverLogin);

    }

 

public LoginClient (CallbackHandler handler, boolean serverLogin) throws LoginException

    {

        this(handler, serverLogin ? SecurityConstants.SECURITY_DOMAIN : SecurityConstants.CLIENT_DOMAIN, serverLogin);

    }

 

 

    public LoginClient (CallbackHandler handler, String securityDomain, boolean serverLogin) throws LoginException

    {

        log.trace2("login security domain: " + securityDomain);

        this.serverLogin = serverLogin;

        context = new LoginContext(securityDomain, handler);

    }

 

/**

     * Perform a login to the AppIQ system.

     * @return The AppIQUserData that has been authenticated

     * @throws LoginException if the login fails

     */

    public synchronized AppIQUserData login() throws LoginException

    {

        log.trace2("login - " + (serverLogin ? "SERVER" : "CLIENT"));

       

        context.login();

 

 

        if (!serverLogin)

            return null;

       

        Subject subject = context.getSubject();

        if (subject == null)

            throw new LoginException(LocalizationUtilities.localize("Exceptions", "LoginFailedNoSubject"));

        log.trace2("login SERVER returns subject: " + subject.toString());

 

 

        AppIQUserData user = SecurityMethods.getCallerPrincipal(subject);

        if (user == null)

            throw new LoginException(LocalizationUtilities.localize("Exceptions", "UnableToExtractAppIQUserData"));

 

 

        /* Stash the context in a cache so that we can re-authenticate when we

                     * need to in order to force updates to login credentials when

                     * necessary.

                     */

                    SecurityMethods.add(context);

 

 

        return user;

           

    }

 

 

Any idea how we can have the option of avoiding authenication when we are using UsernamePasswordHandler.

 

 

 

 

Thanks

Satish.kinikiri@gmail.com

Reply to this message by going to Community

Start a new discussion in Beginner's Corner at Community