-
1. Re: How does a standalone client pass the CallbackHandler to
The client and server have different login modules. The client should use the loginmodule org.jboss.security.ClientLoginModule. This module does nothing else but stores (in something called SecurityAssociations) the username and password for later use. No actual validation is done when you call .login() on the client.
When the client calls on a method on a ejb the user name and password (SecurityAssociations) is by some magic bundled with the client call. The username and password are on the server side collected from the SecurityAssociations and put into an array of Callbacks which are sent to your specified LoginModule on the server side.
Observe that you should use one configuration file on the client side and another on the server side.
/Fredrik Bertilsson -
2. Re: How does a standalone client pass the CallbackHandler to
Thank you, Fredrik. Now it works well. Although I still don't quite understand the "magic" behind it. But, fortunatelly, I don't need to :o)
Martin -
3. Re: How does a standalone client pass the CallbackHandler to
What do the files client/auth.conf and conf/catalina/auth.conf look like? Any example of them would be nice.
When running a client, how can you tell whether the client is looking into the file client/auth.conf?
I have added
client-login
{
org.jboss.security.ClientLoginModule required;
};
to my client/auth.conf and nothing happens. Do I need to package the client/auth.conf into the ear file?
Thanks for any help. -
4. Re: How does a standalone client pass the CallbackHandler to
You should probably do something like that (it works for me):
1) In %JAVA_HOME%/jre/lib/security/java.security you have to configure the JAAS:
login.config.url.1=file:somepath/jaas.config
2) In the jaas.config file then configure the ClientLoginModule:
client-login {
org.jboss.security.ClientLoginModule required;
};
3) Implement a CallBackHandler class:static class AppCallbackHandler implements CallbackHandler { private String username; private char[] password; public AppCallbackHandler(String username, char[] password) { this.username = username; this.password = password; } public void handle(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks instanceof NameCallback) { NameCallback nc = (NameCallback)callbacks; nc.setName(username); } else if (callbacks instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback)callbacks; pc.setPassword(password); } else { throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback"); } } } }
4) ...and in your servlet, when the user logs in via a web form, create new AppCallbackHandler object, fill it with username and password, create new LoginContext with this callback handler and try to login (this time is no real authentication performed, it is performed not until the call to the appserver, on the appserver with its own LoginModule):try { AppCallbackHandler handler = new AppCallbackHandler(username, password); LoginContext lc = new LoginContext("foo", handler); lc.login(); } catch (LoginException le) { //but here should arise really no LoginException, because by then //no real authentication is performed System.out.println("Login failed."); le.printStackTrace(); }
5) Remember the username and password on the webserver as session variables and if it's necessary, login again.
This is of course only the clients part, then you have to configure some LoginModule on the JBoss, but it's another story.
Hope this helps you.
Martin -
5. Re: How does a standalone client pass the CallbackHandler to
Sorry, at the 4) there should have been:
LoginContext lc = new LoginContext("client-login", handler);
instead ofLoginContext lc = new LoginContext("foo", handler);