[jboss-jira] [JBoss JIRA] Created: (JBAS-7542) HostnameTrustLoginModule / Valve for allowing third party authentication

Andrew Oliver (JIRA) jira-events at lists.jboss.org
Sat Dec 12 20:36:30 EST 2009 

HostnameTrustLoginModule / Valve for allowing third party authentication 
-------------------------------------------------------------------------

                 Key: JBAS-7542
                 URL: https://jira.jboss.org/jira/browse/JBAS-7542
             Project: JBoss Application Server
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.2.3.GA
            Reporter: Andrew Oliver
            Assignee: Anil Saldhana


Presently Tested With 4.3.0.  This login module is for the specific case of needing to pass credentials between instances without re-authenticating (diagram: http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.png and http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.odg).  The valve puts the getHostName from a request object in a thread local value.  The login module checks this supplied hostname (generally an IP) against a list of trusted IPs.  This should only be used behind a firewall with spoofing disabled where network security has assured the getHostName call returns a valid value.  No testcase is included as it requires a specific network setup and multiple instances.

If there are no objections I'll commit this to the trunk with my LdapExtLoginModule patches.

http://dl.dropbox.com/u/1368565/redhat/patches/HostThreadLocal.java
http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostTrustLoginModule.java
http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostValve.java

In order to use it (login-config.xml):
 <application-policy name = "jmx-console">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.RemoteHostTrustLoginModule"
          flag = "optional">
          <module-option name="password-stacking">useFirstPass</module-option>
          <module-option name="trustedHosts">192.168.49.10</module-option>
          <module-option name="roles">transportAuthenticated</module-option>
       </login-module>
.. some other login module ...
  </authentication>
</application-policy>

context.xml:
<Context>
<Valve className="org.jboss.web.tomcat.security.RemoteHostValve"/>
</Context>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list