[jboss-user] [Security & JAAS/JBoss] - Integration of Custom Client and Server Login Modules

kearns do-not-reply at jboss.com
Mon Jul 17 10:41:26 EDT 2006


Objective: to authenticate using a custom client login module and pass the subject, containing the credentials customer ID and NHS #, to a custom server login module. This does no authentication but simple maps the customer ID to a role in order to invoke a secured EJB.

How: 

I have listed below 4 different approaches I used.

(1) Created the following components:

 ? Custom client login module (reference article: All that JASS): 
       ConsoleCallbackHandler
       PassiveCallbackHandler
       RdbmsCredential
       RdbmsLoginModule
       RdbmsPrinciple

? Custom server login module (reference article: Securing EJB Applications with Custom JBoss Login Modules) :
       CustomServerLoginModule

? used JBoss client login module to bind subject.

? added RDBMS Login Module (custom client login module) to /example domain in login-conf.xml
? added CustomServerModule to security domain (secureBankDomain) for EJB application

extract from login-config.xml

  <application-policy name = "Example">
	
		<login-module code="com.jaas.RdbmsLoginModule" flag = "required">
                     <module-option name="url">jdbc:mysql://localhost/jaasdb</module-option>
                     <module-option name="usr">root</module-option>
                     <module-option name="pwd">steelbus581</module-option>
                     <module-option name="driver">com.mysql.jdbc.Driver</module-option>
                     <module-option name="debug">true</module-option>                 
		</login-module>
          <login-module code="org.jboss.security.ClientLoginModule"
             flag = "required">
		</login-module>

	
      </application-policy>

      <application-policy name = "SecureBankDomain">
	
		<login-module code="bank.jaas.CustomServerLoginModule" flag = "required">
			<module-option name="debug">true</module-option>
		</login-module>
	
      </application-policy>

Subsequently realised that the only the username and password handled by the call back is past to the server login module. Therefore this approach would not work.

(2) Pass the credential and principle in initial context e.g. Context.SECURITY_PRINCIPAL prior to getting a reference to the remote EJB.

       HashTable props = new HashTable();
       props.put( Context.SECURITY_PRINCIPAL, 
           SecurityAssociation.getPrincipal() );
       props.put( Context.SECURITY_CREDENTIALS, 
           SecurityAssociation.getCredential() ); 

       InitialContext initialContext = new InitialContext( props );

On invoking the server login method it fails as no identity, i.e. Principle, can be found


(3) Created a PrivilegedAction i.e. CallBankMgrGetCustData that would get the EJB reference and execute the method. This also fails as no identity can be found.

(4) Pushed credential and principle onto SecurityAssociation stack. However an error occurred as on the RdbmsPrincipal class could not be found ? no class loader. Then added com.bank.RdbmsCredential and RdbmsPrincipal to server/default/lib as jar. Still the customer server login module fails as no identity, i.e. Principle, can be found.

Question: 

What have I not understood or not configured correctly. Or is what I am trying to do not possible. Any help would be appreciated.

References:


All That JASS: http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas_p.html
Writing Custom JAAS Login Modules. 21 Nov 2003. http://www.timfanelli.com/blog/item/custom_jaas_login_modules.html 
Securing EJB Applications with Custom JBoss Login Modules. 21 Nov 2003 http://www.timfanelli.com/item/98 




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958490#3958490

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958490



More information about the jboss-user mailing list