Hello there! Well I'm trying to get to use a custom authentication method. I
read the JAAS developer guide, as well LoginModule Developer guide. I have a
custom LoginModule that extends UserNamePasswordLoginModule. My "solution" when
used combined with j_security_check works nicely.
The problem is I must have a more fine grained control, something that
j_security_check won't provide. One of my requisites is : if password is
expired redirect to a change password screen.
Ok, as my solution works Ok with j_security_check I don't believe my problem
lies within the LoginModule itself.
So I designed a Pojo that is accessed by my SessionFaÃade that do the trick.
here's a pice of the code:
| Principal user = new SimplePrincipal(username);
| SecurityAssociationHandler handler = new
SecurityAssociationHandler();
| handler.setSecurityInfo(user,password.toCharArray());
| Usuario usuario = null;
| LookupManager lookup = new LookupManager();
| try {
| LoginContext lc = new
LoginContext("MyLoginModule",(CallbackHandler)handler);
| lc.login();
| Subject subject = lc.getSubject();
| Set principals = subject.getPrincipals();
| PrivilegedAction action = new LoginAction();
| Subject.doAs(subject,action);
| usuario = new Usuario();
| usuario.setLogin(username);
| usuario = lookup.getUsuarioPorLogin(usuario);
|
usuario.setPermissoes(lookup.getPermissoesPorUsuario(usuario));
| } catch (LoginException e) {
| if(e instanceof LoginFailedException){
| throw (LoginFailedException)e;
| }else{
| throw new RuntimeException(e);
| }
|
| } catch (MyException e) {
| throw new LoginFailedException(e);
| }
|
Ok, so I get a handler, set the username and password on it. Pass it to my
LoginModule and call Login on my LoginContext.
LoginOk is set to true, so everthing is Ok right?
Well. As Ed Roman said in his 15 steps to JAAS, the last is step is to call a
privileged action and after that the security constraints are propagated across
the conteiner. Well this is NOT happening. The user is no authenticated, it is
re-sent to the login screen over and over.
Could someone plese give me some guidelines on it. Has someone used it without
j_security_check?
Here's some info:
web.xml:
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>JSP</web-resource-name>
| <description>Arquivos JSP</description>
| <url-pattern>*.jsp</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description>usuarios permitidos</description>
| <role-name>Administrador</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description>Encryption is not required for the application in
general. </description>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Actions</web-resource-name>
| <description>Actions</description>
| <url-pattern>*.do</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description>usuarios permitidos</description>
| <role-name>Administrador</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description>Encryption is not required for the application in
general. </description>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>MyLoginModule</realm-name>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/error.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
jboss-web.xml
| <security-domain>java:/jaas/MyLoginModule</security-domain>
|
Login.java (Servlet)
| protected void doPost(HttpServletRequest request,HttpServletResponse
response) throws ServletException, IOException {
| String username = request.getParameter("login");
| String password = request.getParameter("password");
| RequestDispatcher dispatcher = null;
| ControlarAcessoSistemaDelegate delegate = new
ControlarAcessoSistemaDelegate();
| HttpSession session = request.getSession();
| try {
| Usuario usuario =
delegate.autenticar(username,password);
| session.setAttribute("usuario",usuario);
| PermissionsAdapter permissions = new
MyPermissionsAdapter((MenuRepository)session.getServletContext().getAttribute(MenuRepository.MENU_REPOSITORY_KEY),usuario);
| session.setAttribute("permissions",permissions);
| dispatcher =
request.getRequestDispatcher("/xyz/controlaracessosistema/login.do");
| } catch (LoginFailedException e) {
| dispatcher = request.getRequestDispatcher("/login.jsp");
| }
| dispatcher.forward(request,response);
| }
|
login-config.xml
| <application-policy name = "MyLoginModule">
| <authentication>
| <login-module code="com.xyz.abc.autenticacao.MyLoginModule"
flag="required">
| <module-option
name="dsJndiName">java:MsSqlServerDS</module-option>
| <module-option name="usersQuery">select usua_tx_senha from
usuario where usua_nm_login_usu = ?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
|
Any help would be very, very appreciated
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3877006#3877006
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3877006
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
