7 Replies Latest reply on Oct 5, 2001 11:08 PM by pkghosh

Where to store object from within a Login Module

klusi Oct 3, 2001 6:17 AM

Hello together,

we are using a LDAP-Server (Netscape) for authenticating and authorizing our users. Within the user entry in that LDAP-Server we store serialized Java objects, where Profile Information of that user is stored (authorizations etc).
Now I have written an own LDAPLoginModule, that fits to our LDAP tree. I have the problem if I read the serialized object from the user during authentication in the Login Module, where can I store it within JBoss to make it accessible to my applications ?

1. Nowhere

ko5tik Oct 4, 2001 2:40 AM (in response to klusi)

If you subclassed AbstractServerLoginModule,
you do not have to store ths data.

Your login module gets ( via callbacks ) username
( principal ) and password ( credential )

login() method just says OK to this combinaion,
and Group[] getRoleSets() returns assotiated roles.

Jboss stores Principal & credential somwhere out of your scope.
Actions
2. Re: Nowhere

jwkaltz Oct 4, 2001 6:55 AM (in response to klusi)

Yes, but that's just the username. I think the original question was, you access LDAP to retrieve all user information, including password. When you do the login stuff, the password gets verified.
But now, how do you access the other user data which may come from LDAP, like user's preferredLanguage etc.

Either, you can store an object somewhere during the login, but I don't see how ? Or, you have a later access to LDAP to get the other attributes, and this access is handled in an EJB. But this means I have to configure & handle my LDAP access at 2 different places : once in the auth.conf for JBossSX, and once in my application.
It would be better if these 2 needs, password checking & user attributes retrieval could be handled in a single step, I think this is what the first poster meant.
(Of course that might actually not be possible, because the password could be stored somewhere else or need to be accessed differently, with security, than the remaining attributes)

Other opinions regarding integration of LDAP data & EJBs ?
Actions
3. Re: Nowhere

ko5tik Oct 4, 2001 8:12 AM (in response to klusi)

IMHO - no way. You'll have to lookup this information
later from LDAP.
Actions
4. Re: Nowhere

klusi Oct 4, 2001 10:21 AM (in response to klusi)

Yes you were right. I meant exactly this. I am in need to store user information other than username and password somewhere to access it later instead of doing a second LDAP-Connection and search.
I am now thinking of storing that information somewhere in the JBoss namespace.

Any other ideas?
Actions
5. Re: Nowhere

jwkaltz Oct 4, 2001 12:11 PM (in response to klusi)

Well it's true that this need doesn't seem to fit the JAAS pattern. You authorize using one mechanism, perhaps even through a secure LDAP connection, so that password may be sent encrypted to LDAP for example.

And then, if authorization is OK, at a later time, you retrieve user information (other than password) from LDAP. For me, I wrote an EJBUserInfo which does this. The disadvantage is you have to go twice to LDAP and (worse), you have to configure your LDAP parameters in 2 different places ...

Storing the info in some static zone so that you avoid going to LDAP twice is probably not a good idea, in terms of architecture.
Actions
6. Re: Where to store object from within a Login Module

starksm64 Oct 4, 2001 9:54 PM (in response to klusi)

The information can be store in the Subject.getPublicCredentials or Subject.getPrivateCredentials depending on their sensitivity, or in JNDI.
Actions
7. Re: Where to store object from within a Login Module

pkghosh Oct 5, 2001 11:08 PM (in response to klusi)

You could store the user related data from LDAP in a stateful session bean and store a reference to SFSB in the HTTP session.
Actions

Go to original post