[jboss-user] [Security & JAAS/JBoss] - Re: Using database for authorization ONLY?

Fri, 25 Jul 2008 12:33:33 -0700 

how did you achieve this?  i am trying to do a similar thing:

1) attempt authentication via LDAP (using LdapExtLoginModule).

2) if failure, attempt authentication against the database (for "special case 
users" ) (using DatabaseServerLoginModule)

3) load the roles from the database regardless of which authentication 
succeeded.

i have the following login-config:

    <application-policy name = "dual-auth">
       

          <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule"
             flag = "optional">

             <module-option 
name="baseCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option 
name="bindDN">cn=admin,dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option name="bindCredential">secret00/module-option>
             <module-option name="baseFilter">(cn={0})</module-option>
             <module-option 
name="rolesCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
             <module-option name="roleAttributeIsDN">false<module-option>
             <module-option name="roleAttributeID">role</module-option>

          </login-module>

          <login-module code = 
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = 
"unauthenticatedIdentity">guest</module-option>
             <module-option name = "dsJndiName">java:/jdbc/PSR</module-option>
             <module-option name = "principalsQuery">SELECT PASSWORD as PASSWD 
FROM APP_USER WHERE LOGIN=?</module-option>
             <module-option name = "rolesQuery">SELECT APP_PERMISSION.NAME as 
ROLEID, 'Roles' FROM APP_USER, APP_USER_ROLE, APP_ROLE_PERMISSION, 
APP_PERMISSION WHERE APP_USER.LOGIN=? AND APP_USER.ID = APP_USER_ROLE.USER_ID 
AND APP_USER_ROLE.ROLE_ID = APP_ROLE_PERMISSION.ROLE_ID AND 
APP_ROLE_PERMISSION.PERMISSION_ID = APP_PERMISSION.ID</module-option>

             <module-option 
name="password-stacking">useFirstPass</module-option>

         </login-module>
   
</application-policy>

if i comment out the LDAP part, it works fine for the "special case user" who 
exists only in the database.  if i have both activated, the "special case user" 
never authenticates to my web-service (it is an ejb3 endpoint exposed via 
@WebService and @SecurityDomain annotations).

i made sure the "required" and "optional" flags are set and the 
"password-stacking" option is set.  what else am i missing or is this setup not 
going to achieve what i need?  does the "special" case user need to exist in 
the LDAP directory?  i was under the impression that "optional" meant it would 
fail quietly and defer to later modules.

== stanton


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4166746#4166746

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4166746
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to