Ingo Bruell wrote:
IB> Hi Oleg,
>> but if you are interested, I can give brief instructions in the
IB> Yes, I am verey interested!
Fine.
The first draft of the documentation follows :-)
I assume that you have already read JAAS documentation.
1) Client side
1.1) specify the configuration for JAAS in some way (see
http://java.sun.com/security/jaas/apidoc/javax/security/auth/login/Configuration.html
for details). For example, you may write
java -Djava.security.auth.login.config==jboss_path/client/auth.conf
in the command line for your client application.
1.2) Code CallbackHandler for your client application
1.3) Code the login process like this:
lc = new LoginContext("appName", new MyCallbackHandler());
lc.login();
1.4) The user name and password that you provide in CallbackHandler
will be passed to jBoss by the jBoss LoginModule for client side.
You may add any other LoginModules.
Here is the client auth.conf with comments:
other {
// Put your login modules that work without jBoss here
// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// Put your login modules that need jBoss here
};
2) Server side
On the server side JAAS LoginModules are used for two purposes:
for authentication and for principal to role mapping (so called realm
mapping). You may use one LoginModule for both purposes or you may
use different LoginModules. You may also mix JAAS-based services
with other jBoss security services (JAAS-based security service is
just a layer built on top of jBoss generic security interfaces).
2-1) Assume that you want to use JAAS-bases services only.
Then you may remove SimpleRealmMappingService and
EJBSecurityManagerService entries from jboss.conf and add
<MLET CODE = "org.jboss.security.JaasSecurityManagerService"
ARCHIVE="jboss.jar" CODEBASE="../lib/ext/">
</MLET>
instead.
2-2) Code your LoginModules or use the existing. For now only
SimpleServerLoginModule is in CVS (password must coincide with user
name), DatabaseServerLoginModule will be available soon.
2-2-1) LoginModule for authentication should validate user name and
password obtained from CallbackHandler. Note: you don't need to cache
the results of authentication, they are cached automatically and used
for authentication of subsequent method calls.
If the user name or password is invalid, throw FailedLoginException.
2-2-2) LoginModule for realm mapping should provide the list of role
names (as Strings) for the given user as a set of public credentials
for the Subject and (optionally) to provide Principal for the Subject
which is the name of the user for beans. If you don't provide
Principal, the original user name is used (I mean one that was
received from client). Again, you don't need to cache the results.
2-3) Specify the LoginModules in jboss/conf/auth.conf:
mybeans {
org.jboss.security.DatabaseServerLoginModule required;
com.mycompany.MyRealmMappingLoginModule required;
}
other {
// Provides the default realm mapping
org.jboss.security.SimpleServerLoginModule required;
};
The application names in it are the logical names of security
resources. They may be referenced from jboss.xml by their JNDI names,
which is constructed as "jaas/entry_name".
For example: "jaas/mybeans", "jaas/others".
2-4) Your LoginModules should be available in the main CLASSPATH for
jBoss. Add the to CLASSPATH before run.bat call, or modify run.bat,
like this:
REM Add all login modules for JAAS-based security here
set CLASSPATH=%CLASSPATH%;..\lib\jboss-jaas.jar;mypath\mymodules.jar
NOTE:
3-1) the JAAS-based security service for jBoss may contain bugs ;-)
3-2) For now EJBContext.getCallerPrincipal() returns always the
original Principal, EJBContext.isCallerInRole() is not implemented
yet.
So, be lenient :-)
Best regards,
Oleg
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
