Re: [JBoss-dev] OracleLoginModule
Well I did it. I try to explain briefly what I did. I extended UsernamePasswordLoginModule, making user/password test and Roles recovery with a special connection made with DriverManager. Then I added code to make this LoginModule to be a LoginModule that knows it is working with a ManagedConnectionFactory starting from code of CallerIdentity Login Module. Then I configured a DataSource with SecurityDomainJndiName pointing to a security domain configure with this module and Criteria setted at ByContainer. Then I wrote a StupidServlet that do a getConnection on that Datasource and does a "select USER from DUAL", configuring security-domain in jboss-web.xml at the same jndiName, and web.xml to put my StupidServlet in a security constraint based on Oracle's Roles name. Then when I try servlet it ask me log and password, authenticate over my Login Module using rightly Oracle's Roles, get Connection with correct user and give me a correct output. I think I could say that it works!! If you are still interested I'll send you the code asap (It need a little style clean up and some log removing :) ) Thanx for the help Il mar, 2003-02-04 alle 16:34, Stefano Maestri ha scritto: > More clear now. I'm sorry to took your time. > So, I took a look, and I think I could do something like the > CallerIdentityLoginModule adding a special connection from > DriverManager to authenticate user over Oracle and get Roles. I'm > going to try. Thanks alot for the support. I'll let ypu know how > things will go on. > > bye > > Stefano > --- all work and no play makes Jack a dull boy --- bye Stefano [EMAIL PROTECTED] www.javalinux.it MSN messanger: [EMAIL PROTECTED] ICQ uin: 122192578 Jabber: canezen #jedit IRC channel as --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] OracleLoginModule
More clear now. I'm sorry to took your time. So, I took a look, and I think I could do something like the CallerIdentityLoginModule adding a special connection from DriverManager to authenticate user over Oracle and get Roles. I'm going to try. Thanks alot for the support. I'll let ypu know how things will go on. bye Stefano Il mar, 2003-02-04 alle 15:38, David Jencks ha scritto: >> >> > Well, I'm working on modification of the source. There some hack (I > already tryied them and they work) to check the password and go on, but > I'm trying to understand I could do something better implementing on > JBoss the modified DES algorithm used by Oracle to make password check > in a cleaner form. > Just a doubt, if I use getConnection() not only in LoginModule, but > also > on my applications I log to Oracle with just one user, so in this > manner > I will have J2ee role in use, but I couldn't use the Oracle Roles on > package/stored procedure and table. Is it correct? Or Could I use > getConnection(user,pwd) in my Beans? I'm not sure I understand exactly what you are trying to do, so let's see if I can explain how it works. Basically there are 2 scenarios, Application managed security and Container managed security: Application. You call ds.getConnection(user, pw). Do NOT supply a JAAS LoginModule for the datasource deployment. Use ByApplication for the pooling criteria. Your application will have to keep track of who it is running as and request connections as that user. Container. You call ds.getConnection(). DO supply a JAAS LoginModule for the datasource deployment. This has to be a LoginModule that knows it is working with a ManagedConnectionFactory. We have examples for CallerIdentity and ConfiguredIdentity. These login modules supply a Subject with a PasswordCredential that includes a reference to the ManagedConnectionFactory created as part of the datasource deployment. Such a login module can use any algorithm it likes to determine the identity and credentials of the database user. In the examples, Configured Identity always supplies the same user/pw, and CallerIdentity uses the user/pw your application is running under. It's also possible to lookup the application user in some kind of map to determine the db user/pw, although no one has contributed such a login module yet. Use ByContainer for the pooling criteria unless you have figured out how to reauthenticate the Oracle connections (some people have been working on this recently) With the Container managed security, you may wish to get the security mapping information from the database. This will mean the LoginModule will need one or more "special" connections to the db to query for this information. You may want to get one such connection directly from DriverManager to avoid recursion -- the login module trying to get a connection for itself needing the login module to get a connection Alternatively you could get the connection from a separately configured datasource that does not need db info to determine the security. One other point. You can specify a default user/pw in the datasource configuration file. This provides essentially the same effect as using the ConfiguredIdentity login module, but it is much simpler. The main difference is which file the password is stored in. I hope this clarifies things a bit:-) I often find all the parts to keep track of confusing. thanks david jencks > > Thanks for the interest and your good code JBoss src is fun!! > > > --- all work and no play makes Jack a dull boy > --- > > bye Stefano > [EMAIL PROTECTED] > www.javalinux.it > MSN messanger: [EMAIL PROTECTED] > ICQ uin: 122192578 > Jabber: canezen > #jedit IRC channel as > > > > --- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > ___ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development --- all work and no play makes Jack a dull boy --- bye Stefano [EMAIL PROTECTED] www.javalinux.it MSN messanger: [EMAIL PROTECTED] ICQ uin: 122192578 Jabber: canezen #jedit IRC channel as
Re: [JBoss-dev] OracleLoginModule
Il lun, 2003-02-03 alle 18:59, David Jencks ha scritto: q > > As I said it works only in ByApplication criteria > > > 0C0C,2121,A8A8Are you calling > ds.getConnection() or > > ds.getConnection(user, pw)? > > > the last one. > > > > If you call ds.getConnection(user, pw) you MUST NOT provide a > LoginModule and you must use the ByApplication criteria if your > adapter does not support reauthentication or ByNothing if it does. > Login modules are for use only with Container manager security, which > basically means you always call ds.getConnection(). > > Well, I'm working on modification of the source. There some hack (I already tryied them and they work) to check the password and go on, but I'm trying to understand I could do something better implementing on JBoss the modified DES algorithm used by Oracle to make password check in a cleaner form. Just a doubt, if I use getConnection() not only in LoginModule, but also on my applications I log to Oracle with just one user, so in this manner I will have J2ee role in use, but I couldn't use the Oracle Roles on package/stored procedure and table. Is it correct? Or Could I use getConnection(user,pwd) in my Beans? Thanks for the interest and your good code JBoss src is fun!! --- all work and no play makes Jack a dull boy --- bye Stefano [EMAIL PROTECTED] www.javalinux.it MSN messanger: [EMAIL PROTECTED] ICQ uin: 122192578 Jabber: canezen #jedit IRC channel as --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] OracleLoginModule
Il lun, 2003-02-03 alle 16:03, David Jencks ha scritto: I'm very interested in this login module. Can you supply it as a "patch" in the sourceforge tracker? Otherwise I may lose track of it before I can review and commit it. I'd glad to do it when it will work in ByContainer Mode Offhand it seems to me that the LoginModule should only work if the criteria was ByContainer. As I said it works only in ByApplication criteria Are you calling ds.getConnection() or ds.getConnection(user, pw)? the last one. Can you check the code in XAManagedConnectionFactory.matchManagedConnection and BaseWrapperManagedConnectionFactory.getConnectionProperties to see if it is obvious why the match is failing? You might need to modify the OracleXAManagedConnectionFactory to provide more suitable matching behavior. (I'm looking at jboss head for these classes). I'm taking a look. Thanks for the interest. thanks david jencks Hi guys, I wrote a login module specific for Oracle DataBase, that try to authenticate a user on Oracle DataSource and map Oracle Role on J2ee Role. I think it could be very interesting for guys that have jboss and Oracle together, because you could manage roles and user just in one enviroment. I tried it on my enviroment and seems to work only if I set in Oracle-xa-service.xml
RE: [JBoss-dev] OracleLoginModule
Not exaclty, I login with user and password and use user_role_privs view, simple is better (I hope that isn't too simple to wok ). To have a look to muy code, I attached code in previous message Any suggestion is a piece of gold for me, fell free to write me. bye Il lun, 2003-02-03 alle 16:47, Sonnek, Ryan ha scritto: out of curiosity, could you say how you did this? i'm assuming that you're authenticating to the DBA_USERS and DBA_USER_ROLES tables, and this is something that i tried a while back. i got stuck being able to hash my login modules password to match oracles. there was no documentation on what algorithm they were using, and so after trying a few, i gave up. this is something that i am HIGHLY interested in, and would love to take a look at. congratulations on the hard work. Ryan -Original Message- From: David Jencks [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 9:04 AM To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] OracleLoginModule I'm very interested in this login module. Can you supply it as a "patch" in the sourceforge tracker? Otherwise I may lose track of it before I can review and commit it. Offhand it seems to me that the LoginModule should only work if the criteria was ByContainer. Are you calling ds.getConnection() or ds.getConnection(user, pw)? Can you check the code in XAManagedConnectionFactory.matchManagedConnection and BaseWrapperManagedConnectionFactory.getConnectionProperties to see if it is obvious why the match is failing? You might need to modify the OracleXAManagedConnectionFactory to provide more suitable matching behavior. (I'm looking at jboss head for these classes). thanks david jencks Hi guys, I wrote a login module specific for Oracle DataBase, that try to authenticate a user on Oracle DataSource and map Oracle Role on J2ee Role. I think it could be very interesting for guys that have jboss and Oracle together, because you could manage roles and user just in one enviroment. I tried it on my enviroment and seems to work only if I set in Oracle-xa-service.xml ByApplication If I set it to ByContainer I get this error: 15:14:02,562 WARN [JBossManagedConnectionPool] Destroying connection that could not be successfully matched: org.jboss.resource.adapter.jdbc.xa.oracle.XAOracleManagedConnection@462631 And connection still Opened on the DB. Could you please explain me what's happen. Thank you in advance BTW I attached my source, what about it? Couldn't it be useful for anyone? --- all work and no play makes Jack a dull boy --- bye Stefano [EMAIL PROTECTED] www.javalinux.it MSN messanger: [EMAIL PROTECTED] ICQ uin: 122192578 Jabber: canezen #jedit IRC channel as
[JBoss-dev] OracleLoginModule
Hi guys,
I wrote a login module specific for Oracle DataBase, that try to authenticate a user on Oracle DataSource and map Oracle Role on J2ee Role. I think it could be very interesting for guys that have jboss and Oracle together, because you could manage roles and user just in one enviroment.
I tried it on my enviroment and seems to work only if I set in Oracle-xa-service.xml
ByApplication
If I set it to ByContainer I get this error:
15:14:02,562 WARN [JBossManagedConnectionPool] Destroying connection that could not be successfully matched: org.jboss.resource.adapter.jdbc.xa.oracle.XAOracleManagedConnection@462631
And connection still Opened on the DB.
Could you please explain me what's happen. Thank you in advance
BTW I attached my source, what about it? Couldn't it be useful for anyone?
--- all work and no play makes Jack a dull boy ---
bye Stefano
[EMAIL PROTECTED]
www.javalinux.it
MSN messanger: [EMAIL PROTECTED]
ICQ uin: 122192578
Jabber: canezen
#jedit IRC channel as
/*
* JBoss, the OpenSource WebOS
*
* Distributable under LGPL license.
* See terms of license at gnu.org.
*/
package org.jboss.security.auth.spi;
import java.security.acl.Group;
import java.util.HashMap;
import java.util.Map;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.sql.DataSource;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
/**
* A JDBC based login module that supports authentication and role mapping.
* It is based on two logical tables:
*
* Principals(PrincipalID text, Password text)
* Roles(PrincipalID text, Role text, RoleGroup text)
*
*
* LoginModule options:
*
* dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables
* principalsQuery: The prepared statement query, equivalent to:
*
*"select Password from Principals where PrincipalID=?"
*
* Use it if you don't want to use the Oracle user/password to check permission
* rolesQuery: The prepared statement query, equivalent to:
*
*"select Role, RoleGroup from Roles where PrincipalID=?"
*
* Use it if you want to read roles from a table instead or together Oracle Roles
* useOracleRoles true/false to use Oracle Roles mapping to J2ee Roles
*
* @author Stefano Maestri
* Special thanks to Paolo Vigano my DBA for support and tests
* @version $Revision: 1.6 $
*/
public class OracleServerLoginModule extends UsernamePasswordLoginModule
{
private String dsJndiName;
private String principalsQuery = null;
private boolean useOracleRoles = false;
private String rolesQuery = null;
private String oracleRolesQuery = "select granted_role from user_role_privs";
private String username;
private String password;
/**
* Initialize this LoginModule.
*/
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
{
super.initialize(subject, callbackHandler, sharedState, options);
dsJndiName = (String) options.get("dsJndiName");
if( dsJndiName == null )
dsJndiName = "java:/DefaultDS";
Object tmp = options.get("principalsQuery");
if( tmp != null )
principalsQuery = tmp.toString();
tmp = options.get("rolesQuery");
if( tmp != null )
rolesQuery = tmp.toString();
tmp = options.get("useOracleRoles");
if( tmp != null && tmp.toString().equalsIgnoreCase("true") && principalsQuery==null )
useOracleRoles = true;
log.trace("OracleServerLoginModule, dsJndiName="+dsJndiName);
log.trace("principalsQuery="+principalsQuery);
log.trace("rolesQuery="+rolesQuery);
log.trace("useOracleRoles="+rolesQuery);
}
/** Get the expected password for the current username available via
* the getUsername() method. This is called from within the login()
* method after the CallbackHandler has returned the username and
* candidate password.
* @return the valid password String
*/
protected String getUsersPassword() throws LoginException
{
String password = null;
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
try
{
username = getUsername();
if (principalsQuery != null) {
InitialContext ctx = new InitialContext();
Data
