[jboss-user] [Security & JAAS/JBoss] - Re: EJB Client and Digest Auth using same SecurityDomain

joff do-not-reply at jboss.com
Mon Jun 11 01:09:51 EDT 2007 

I've solved the problem myself, here it is in case someone else has a similar issue:

1) You can have multiple 'login-module' elements per 'authentication' element in login-config.xml, which you can set to 'optional', so that if one fails, the other one will be tried, and the entire authentication won't fail.

2) In order for my EJB client (running inside the container) to authenticate itself with the container (using the Properties as above) then you also need the ClientLoginModule to be present in the config for the security domain

New, improved login-config.xml follows:

   <application-policy name="MyDomain">
  |       <authentication>
  | 
  |         <!-- Module for doing DIGEST authentication from the web tier  -->
  |         <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "optional">
  |           <module-option name = "dsJndiName">java:/myDS</module-option>
  |           <module-option name = "principalsQuery">SELECT password_hash FROM auth WHERE user_id=?</module-option>
  |           <module-option name = "rolesQuery">SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?</module-option>
  |           <module-option name = "hashAlgorithm">MD5</module-option>
  |           <module-option name = "hashEncoding">rfc2617</module-option>
  |           <module-option name = "hashUserPassword">false</module-option>
  |           <module-option name = "hashStorePassword">true</module-option>
  |           <module-option name = "passwordIsA1Hash">true</module-option>
  |           <module-option name = "storeDigestCallback">org.jboss.security.auth.spi.RFC2617Digest</module-option>
  |         </login-module>
  | 
  |         <!-- Module for doing authentication from within the application, already have the hashed password -->
  |         <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "optional">
  |           <module-option name = "dsJndiName">java:/myDS</module-option>
  |           <module-option name = "principalsQuery">SELECT password_hash FROM auth WHERE user_id=?</module-option>
  |           <module-option name = "rolesQuery">SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?</module-option>
  |         </login-module>
  | 
  |         <!-- Client Login module so that the security context can be set for invoking EJBs -->
  |         <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
  |           <module-option name="restore-login-identity">true</module-option>
  |         </login-module>
  | 
  |       </authentication>
  |     </application-policy>


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4052975#4052975

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4052975

More information about the jboss-user mailing list