[JBoss-user] [Security & JAAS/JBoss] - Problem with Realms login module and custom principal

Mon, 12 Jun 2006 03:30:29 -0700 

I'm trying to implement web application wide secruity to secure servlets and 
EJB's with a custom principal.

I have Extended UsernamePasswordLoginModule:

public class MyLoginModule extends UsernamePasswordLoginModule
  | {
  | 
  |    private Principal identity;
  |     
  |    public Principal getIdentity() {
  |        return identity;
  |    }
  | 
  |    public boolean login() throws LoginException
  |    {
  |       NameCallback name = new NameCallback("User name");
  |       PasswordCallback pwc = new PasswordCallback("Password",
  |                                                   false);
  | 
  |          callbackHandler.handle(new Callback[]{name, pwc});
  |          String user = name.getName();
  |          String pass = new String(pwc.getPassword());
  |          
  |          identity =  new MyPrincipal(user,pass);
  |    }
  | }

and I have created a realm:

public class MyRealm extends org.apache.catalina.realm.JAASRealm
  | {
  | 
  |    // overrides super class implementation to return the principal that
  |    // was created in the login module
  |    protected Principal createPrincipal(String user, Subject sub)
  |    {
  |      Set s = sub.getPrincipals(MyPrincipal.class);
  |      // get the principal created in the login module
  |      Principal p = (Principal)s.iterator().next();   
  |      return p;
  |    }
  | }

All works fine for the duration of the first request/thread, but for subsequent 
requests/a new thread the username and password returned by the callback 
handler are null. Could someone tell me what this line of code does:

org.jboss.web.tomcat.security.SecurityAssociationActions.setPrincipalInfo(principal,
 certs, subject);

It seems to do some magic which causes the JBoss EJB layer to remember the 
username and credentials for subsequent calls to the LoginModule.login() 
method. Without it subsequent calls to the login() method have a null username 
and password callback values. This call is in the JBossSecurityMgrRealm but the 
class is protected so I can't add a call to it in MyRealm.

Alternativly what am I doing wrong to cause the JBoss EJB layer to 'forget' the 
username and credential?

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3950403#3950403

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3950403


_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to