[jboss-user] [Security & JAAS/JBoss] - 'sufficient' loginmodules combined with ClientLoginModule
pieter.kuijpers@gmail.com
do-not-reply at jboss.com
Fri May 16 07:55:03 EDT 2008
I have the following requirements for my web application running on JBoss 4.2.1:
- Users should be authenticated against an LDAP directory
- In LDAP, a user is registered in one of two locations, say ou=A or ou=B. So, the DN for a user might be uid=X,ou=A or uid=X,ou=B
- I need to perform programmatic web authentication
The solution I have come up with is to use two LdapLoginModules: one for each location. Both login-modules are set to 'sufficient'.
| <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
| <!-- regular options omitted -->
| <module-option name="principalDNPrefix">uid=</module-option>
| <module-option name="principalDNSuffix">,ou=A</module-option>
| </login-module>
| <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
| <!-- regular options omitted -->
| <module-option name="principalDNPrefix">uid=</module-option>
| <module-option name="principalDNSuffix">,ou=B</module-option>
| </login-module>
|
This works as expected: authentication succeeds if the can be authenticated against one of the two LDAP locations.
To propagate the authentication info to the container, I use the ClientLoginModule as mentioned in the SecurityFAQ. This is added as the third loginmodule in my configuration:
| <login-module code="org.jboss.security.ClientLoginModule" flag="required">
| <module-option name="restore-login-identity">true</module-option>
| <module-option name="multi-threaded">true</module-option>
| <module-option name="password-stacking">useFirstPass</module-option>
| </login-module>
|
What I want is that authentication fails when both Ldap loginmodules fail. In reality, authentication succeeds in that case, because the ClientLoginModule always succeeds. Thus, I have the two 'sufficient' ldap loginmodules fail, and the 'required' clientloginmodule succeed, resulting in a successful login.
Is there a way to enforce that (at least) one of the ldap loginmodules succeed, and that the clientloginmodule is still invoked for a successful login?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4151352#4151352
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4151352
More information about the jboss-user
mailing list