I'm flat out stuck. I can get the DatabaseServerLoginModule to work but, a Ldap Login
Module is getting me. I have tried a number of things and it's just not working for
me. Can someone shed some light on this subject for me. Here is what I am trying to
do, I want a LoginModule just like the DatabaseServerLoginModule or the
UsersRolesLoginModule, however I want to authenticate using my Domain Controller. I
have written java code that can stand alone and perform this as well as a session bean
that can perform this authentication, but I want Jboss/tomcat to do it to protect my
web app. I have tried making a Login Module like such:
package intuinet.security.auth.spi;
import intuinet.callback.UpstreamCallbackHandler;
import java.security.acl.Group;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
/**
* @author cbuckley
*
*/
public class Kbr5ServerLoginModule extends UsernamePasswordLoginModule {
private String realm;
private String kdc;
protected String getUsersPassword() throws LoginException {
return getUsersPassword();//Does this get handed off? Or is this my
responsibility to obtain this? If so how do I do it with LDAP I can't query for a
password? }
protected Group[] getRoleSets() throws LoginException {
HashMap setsMap = new HashMap();
String groupName = "Roles";//Role Group
String name = "Echo";//Role
Group group = new SimpleGroup(groupName);
group.addMember(new SimplePrincipal(name));
Group[] roles = new Group[1];
roles[0] = group;
setsMap.values().toArray(roles);
return roles;
}
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map sharedState,
Map configOptions) {
super.initialize(subject, callbackHandler, sharedState,
configOptions);
realm = (String) configOptions.get("kbr5Realm");
kdc = (String) configOptions.get("kbr5Kdc");
//Setting system variables....
java.util.Properties p = new
java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm",realm );
p.setProperty("java.security.krb5.kdc", kdc);
System.setProperties(p);
}
public boolean login() throws LoginException {
LoginContext lc = null;
boolean valid = false;
UpstreamCallbackHandler callback = new
UpstreamCallbackHandler(getUsername(), getUsersPassword());
try {
lc = new LoginContext("domain-contoller", callback);
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. Security
Exception"
+ se.getMessage());
}
try {
// attempt authentication
lc.login();
valid = true;
//Next we would want to associate roles to the Subject.
Iterator itr = lc.getSubject().getPrincipals().iterator();
while(itr.hasNext())
System.err.println("Principal "+itr.next().toString());
} catch (LoginException le) {
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
}
return valid;
}
}
and then including the following application-policies in my login-config.xml
<application-policy name = "domain-contoller">
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag = "required" />
</application-policy>
<application-policy name = "upstream">
<login-module code="intuinet.security.auth.spi.Krb5ServerLoginModule"
flag = "required" />
<module-option name =
"kbr5Realm">upstream.cutthroatcom.com</module-option>
<module-option name =
"kbr5Kdc">madison.upstream.cutthroatcom.com</module-option>
</application-policy>
the thought here was that I would implement my own login() method and would actually
use the "domain-controller" policy to require
com.sun.security.auth.module.Krb5LoginModule and I would use this in my LoginContext,
well it doesn't work and furthermore I can't debug because nothing will print out. I
don't get it. Oh yeah one more thing right now I have the code packaged in a jar with
a ejb: is this bad? shoud I jar the "LoginModule" by itself and put it in the lib
directory?
thanks for any help on this one.
<a
href="http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3824222#3824222";>View
the original post</a>
<a
href="http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3824222>Reply
to the post</a>
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
