[jboss-user] [Security & JAAS/JBoss] - Re: Using database for authorization ONLY?

sfisque do-not-reply at jboss.com
Fri Jul 25 15:26:07 EDT 2008 

how did you achieve this?  i am trying to do a similar thing:

1) attempt authentication via LDAP (using LdapExtLoginModule).

2) if failure, attempt authentication against the database (for "special case users" ) (using DatabaseServerLoginModule)

3) load the roles from the database regardless of which authentication succeeded.

i have the following login-config:

    <application-policy name = "dual-auth">
       

          <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule"
             flag = "optional">

             <module-option name="baseCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option name="bindDN">cn=admin,dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option name="bindCredential">secret00/module-option>
             <module-option name="baseFilter">(cn={0})</module-option>
             <module-option name="rolesCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option name="roleAttributeIsDN">false<module-option>
             <module-option name="roleAttributeID">role</module-option>

          </login-module>

          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "dsJndiName">java:/jdbc/PSR</module-option>
             <module-option name = "principalsQuery">SELECT PASSWORD as PASSWD FROM APP_USER WHERE LOGIN=?</module-option>
             <module-option name = "rolesQuery">SELECT APP_PERMISSION.NAME as ROLEID, 'Roles' FROM APP_USER, APP_USER_ROLE, APP_ROLE_PERMISSION, APP_PERMISSION WHERE APP_USER.LOGIN=? AND APP_USER.ID = APP_USER_ROLE.USER_ID AND APP_USER_ROLE.ROLE_ID = APP_ROLE_PERMISSION.ROLE_ID AND APP_ROLE_PERMISSION.PERMISSION_ID = APP_PERMISSION.ID</module-option>

             <module-option name="password-stacking">useFirstPass</module-option>

         </login-module>
   
</application-policy>

if i comment out the LDAP part, it works fine for the "special case user" who exists only in the database.  if i have both activated, the "special case user" never authenticates to my web-service (it is an ejb3 endpoint exposed via @WebService and @SecurityDomain annotations).

i made sure the "required" and "optional" flags are set and the "password-stacking" option is set.  what else am i missing or is this setup not going to achieve what i need?  does the "special" case user need to exist in the LDAP directory?  i was under the impression that "optional" meant it would fail quietly and defer to later modules.

== stanton


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4166746#4166746

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4166746

More information about the jboss-user mailing list