Objective: to authenticate using a custom client login module and pass the
subject, containing the credentials customer ID and NHS #, to a custom server
login module. This does no authentication but simple maps the customer ID to a
role in order to invoke a secured EJB.
How:
I have listed below 4 different approaches I used.
(1) Created the following components:
? Custom client login module (reference article: All that JASS):
ConsoleCallbackHandler
PassiveCallbackHandler
RdbmsCredential
RdbmsLoginModule
RdbmsPrinciple
? Custom server login module (reference article: Securing EJB Applications with
Custom JBoss Login Modules) :
CustomServerLoginModule
? used JBoss client login module to bind subject.
? added RDBMS Login Module (custom client login module) to /example domain in
login-conf.xml
? added CustomServerModule to security domain (secureBankDomain) for EJB
application
extract from login-config.xml
<application-policy name = "Example">
<login-module code="com.jaas.RdbmsLoginModule" flag =
"required">
<module-option
name="url">jdbc:mysql://localhost/jaasdb</module-option>
<module-option name="usr">root</module-option>
<module-option name="pwd">steelbus581</module-option>
<module-option
name="driver">com.mysql.jdbc.Driver</module-option>
<module-option name="debug">true</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<application-policy name = "SecureBankDomain">
<login-module code="bank.jaas.CustomServerLoginModule" flag =
"required">
<module-option name="debug">true</module-option>
</login-module>
</application-policy>
Subsequently realised that the only the username and password handled by the
call back is past to the server login module. Therefore this approach would not
work.
(2) Pass the credential and principle in initial context e.g.
Context.SECURITY_PRINCIPAL prior to getting a reference to the remote EJB.
HashTable props = new HashTable();
props.put( Context.SECURITY_PRINCIPAL,
SecurityAssociation.getPrincipal() );
props.put( Context.SECURITY_CREDENTIALS,
SecurityAssociation.getCredential() );
InitialContext initialContext = new InitialContext( props );
On invoking the server login method it fails as no identity, i.e. Principle,
can be found
(3) Created a PrivilegedAction i.e. CallBankMgrGetCustData that would get the
EJB reference and execute the method. This also fails as no identity can be
found.
(4) Pushed credential and principle onto SecurityAssociation stack. However an
error occurred as on the RdbmsPrincipal class could not be found ? no class
loader. Then added com.bank.RdbmsCredential and RdbmsPrincipal to
server/default/lib as jar. Still the customer server login module fails as no
identity, i.e. Principle, can be found.
Question:
What have I not understood or not configured correctly. Or is what I am trying
to do not possible. Any help would be appreciated.
References:
All That JASS: http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas_p.html
Writing Custom JAAS Login Modules. 21 Nov 2003.
http://www.timfanelli.com/blog/item/custom_jaas_login_modules.html
Securing EJB Applications with Custom JBoss Login Modules. 21 Nov 2003
http://www.timfanelli.com/item/98
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958490#3958490
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958490
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
