We have an existing project with security domains for our EJB3s. We are trying to use a
similar (or the same) security domain/policy for some of our web applications. I have it
working, but it's sort of ugly and I'm trying to figure out what I'm missing.
The main issue is that the security domain will only match the 'other' domain that
comes with the JBoss install. For whatever reason, after I decided to use a custom
authenticator, the security domain I created will not 'match'.
The goal is to use the SSL_CLIENT_CERT that we receive via HTTP Header and to
authenticate/authorize that with our existing policy. This works for EJBs, but not the web
app I have tried.
Backstory:
I originally set up the web application (i.e.
http://jboss/secure/index.jsp) to have a
simple FORM based policy. This worked - when I would attempt to hit that URL I would get
prompted for a username/password. Assuming I entered the username/password in my
users.properties file, I was able to get to that url.
I then created my own authenticator, based on instructions I found on creating a
GenericHeaderBasedAuthenticator.
This also seemed to work okay, provided my authenticator passed in the username/properties
from the user.properties file.
I then created my own login module based on instructions I found here. My
CustomWebAppLoginModule extends AbstractServerLoginModule.
When I tried to change the login-module.xml to use this login module instead of the
generic one, I couldn't seem to 'match' the security domain I created. I toyed
around with it and eventually realized it would match 'other', but not the one I
created.
Any ideas on why this is so?
login-module.xml:
| <application-policy name="securewebapp">
| <authentication>
| <login-module code="com.ist.security.CustomWebAppLoginModule" flag=
| "required">
| </login-module>
| </authentication>
| </application-policy>
|
| ...
|
Note that I had to change the "other" application-policy to use my
CustomWebAppLoginModule to get it to work...otherwise it would just skip this policy and
never call CustomWebAppLoginModule.
jboss-service.xml in jboss-web.deploy/META-INF:
| <java:property>
| <java:key>FORM</java:key>
|
<java:value>com.ist.security.authenticators.GenericWebAppHeaderAuthenticator</java:value?
| </java:property>
|
| ...
|
| <!-- JBAS-2283: Custom header based authentication
| Pass SSL_CLIENT_CERT field from http header through to JAAS...
| -->
| <attribute
name="HttpHeaderForSSOAuth">SSL_CLIENT_CERT</attribute>
|
In my GenericWebAppHeaderAuthenticator.java, this call is made:
| register(request, response, principal, Constants.FORM_METHOD, username,
sslClientCert);
|
Pertinent parts of my web.xml:
| <!-- authentication using securewebapp security domain -->
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Secure resources</web-resource-name>
| <description>Protects the secure area in Quartz GUI</description>
| <url-pattern>/secure/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin</role-name>
| <auth-constraint>
| </security-constraint>
|
| <security-role>
| <role-name>admin</role-name>
| </security-role>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>securewebapp</realm-name>
| <form-login-config>
| <form-login-page>/jsp/login.jsp</form-login-page>
| <form-error-page>/jsp/loginfail.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
Any thoughts?
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4227290#...
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...