[jboss-user] [Security & JAAS/JBoss] - 'sufficient' loginmodules combined with ClientLoginModule

pieter.kuijpers@gmail.com do-not-reply at jboss.com
Fri May 16 07:55:03 EDT 2008


I have the following requirements for my web application running on JBoss 4.2.1:

- Users should be authenticated against an LDAP directory
- In LDAP, a user is registered in one of two locations, say ou=A or ou=B. So, the DN for a user might be uid=X,ou=A or uid=X,ou=B
- I need to perform programmatic web authentication

The solution I have come up with is to use two LdapLoginModules: one for each location. Both login-modules are set to 'sufficient'.


  |     <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
  |       <!-- regular options omitted -->
  |       <module-option name="principalDNPrefix">uid=</module-option>
  |       <module-option name="principalDNSuffix">,ou=A</module-option>
  |     </login-module>
  |     <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
  |       <!-- regular options omitted -->
  |       <module-option name="principalDNPrefix">uid=</module-option>
  |       <module-option name="principalDNSuffix">,ou=B</module-option>
  |     </login-module>
  | 

This works as expected: authentication succeeds if the can be authenticated against one of the two LDAP locations.

To propagate the authentication info to the container, I use the ClientLoginModule as mentioned in the SecurityFAQ. This is added as the third loginmodule in my configuration:


  | <login-module code="org.jboss.security.ClientLoginModule" flag="required">
  |       <module-option name="restore-login-identity">true</module-option>
  |       <module-option name="multi-threaded">true</module-option>
  |       <module-option name="password-stacking">useFirstPass</module-option>
  |     </login-module>
  | 

What I want is that authentication fails when both Ldap loginmodules fail. In reality, authentication succeeds in that case, because the ClientLoginModule always succeeds. Thus, I have the two 'sufficient' ldap loginmodules fail, and the 'required' clientloginmodule succeed, resulting in a successful login.

Is there a way to enforce that (at least) one of the ldap loginmodules succeed, and that the clientloginmodule is still invoked for a successful login?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4151352#4151352

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4151352



More information about the jboss-user mailing list