hi, On Thursday, February 13, 2014, Chetan Mehrotra <[email protected]> wrote:
> On Thu, Feb 13, 2014 at 12:45 PM, Tobias Bocanegra > <[email protected]<javascript:;>> > wrote: > > I don't quite follow. can you give an example of what would be in the > > jaas.conf and where you instantiate the ProxyLoginModule ? > > A rough sketch would be ... > > jaas.config > > ---- > oakAuth { > org.apache.jackrabbit.oak.security.ProxyLoginModule REQUIRED > > loginModuleFactoryClass="org.apache.jackrabbit.oak.security.LdapLoginModuleFactory" > authIdentity="{USERNAME}" > useSSL=false > debug=true; > }; > ---- > > public class ProxyLoginModule implements LoginModule{ > private LoginModule delegate; > > public void initialize(Subject subject, CallbackHandler > callbackHandler, > Map<String, ?> sharedState, Map<String, ?> options){ > LMFactoryProviderCallBack lmfcb = new LMFactoryProviderCallBack() > factory = callbackHandler.handle([lmfcb]); > LoginModuleFactory factory = lmfcb.getLoginModuleFactoryProvider() > > .getFactory(options.get(loginModuleFactoryClass)); > delegate = factory.createLoginModule(); > delegate.initialize(subject, callbackHandler, sharedState, > options); > } > > ... > //Use delegate for other operations > } > > The flow would involve following steps > > 1. User mentions the ProxyLoginModule in jaas entry and provide the > factory class name in the config. JAAS logic would be instantiating > the Proxy LM > 2. Oak provides a callback using which Proxy LM can obtain the factory > 3. Upon init the proxy would initialize the delegate from factory > 4. The delegate is used for later calls > 5. LM if required can still use the config from jaas or ot is > configured via factory itself > > Note here I preferred using the callback to get LM access the outer > layer services instead of using a custom config. > > The custom config mode works fine in standalone case where the > application is the sole user of JAAS system. Hence it works fine for > Karaf/OSGi env But that might not work properly in App server env > where app server itself uses jaas. So to avoid interfering in embedded > mode callback should be preferred. > > Chetan Mehrotra > ok, that how I thought it would be. if we can live with the restriction that we need to use a proxy login module for our LMs, we're good. btw: if you look at the current ExternalLoginModule , I already used a LMF but only for the osgi case. if we could use a ProxyLM, that would simplify the code a lot. regards Toby
