9 Replies Latest reply on Nov 28, 2002 9:41 AM by halset

    custom form action instead of j_security_check???

    jackburns

      Can anybody tell me what j_security_check actually does?

      I want to write a custom action to be called from my form login page instead of using j_security_check so that I can pass more parameters to my server-side login module than just "j_username" and "j_password".

      Is this possible?

      Thanks,
      jack

        • 1. Re: custom form action instead of j_security_check???
          bleupen

          what else to you need to pass to your server-side login module?

          b

          • 2. Re: custom form action instead of j_security_check???
            jackburns

            We are using token authenticators that dynamically generate unique access codes, so each user has to enter a fixed password and the generated one to be authenticated on a remote server.

            Not entirely sure how j_security_check works but as far as I can see, the server-side login module - say UsernamePasswordLoginModule - calls super.callbackHandler.handle(callbacks) to retrieve a NameCallback and a PasswordCallback that have been populated with the j_username and j_password fields. The server-side code is below.

            Is it possible to add another PasswordCallback to the handler somehow?

            jb

            NameCallback nc = new NameCallback("User name: ", "guest");
            PasswordCallback pc = new PasswordCallback("Password: ", false);
            Callback callbacks[] = {
            nc, pc
            };
            String username = null;
            String password = null;
            try
            {
            super.callbackHandler.handle(callbacks);
            username = nc.getName();
            char tmpPassword[] = pc.getPassword();
            }

            • 3. Re: custom form action instead of j_security_check???
              jackburns

              Also, is it possible to access the session or the session id from the server-side login module? I have tried to work around this problem but I need to set session attributes in the login module.

              Thanks
              jb

              • 4. Re: custom form action instead of j_security_check???
                bleupen

                jb,

                i'm not sure how to add a third field to the j_security_check form post. one idea that comes to mind is that you submit both passwords as a single, delimited value in the j_password field. You could then extend the UsernamePasswordLoginModule class to parse the password and perform the authentication.

                i am not sure about accessing the session id. i had to subclass the Struts Action servlet to check and set session variables.

                b

                • 5. Re: custom form action instead of j_security_check???
                  dmitry_ame

                  jb,

                  have you found a feasable solution for accessing session context from the serverside login module?

                  • 6. Re: custom form action instead of j_security_check???
                    craigday

                    this is how you can do some of the things you need to:

                    forget j_security_check and all the web container security :). it works but there are painful little issues with it (like not being able to directly reference j_security_check from your own forms).

                    create a custom jaas login module (and all the required config to get it integrated), extend the UsernamePasswordLoginModule for simplicity (i rolled my own eventually once i got a grip on this stuff). override login() and getUsernameAndPassword(), in the latter create and use a org.jboss.security.auth.callback.SecurityAssociationCallback rather than the NameCallback and PasswordCallback. the SecurityAssociationCallback allows you to retrieve the principal and an arbitrary credential object (whatever you want). Write login() to handle your authentication with your own credential object.

                    create your login form and form handler. in the handler create your principal and credentials (your credential object) based on submitted data, jndi lookup the jaas security manager (AuthenticationManager) and pass Princiapl and Credential to security manager isValid() method. this should hit your login module, and perform your authentication. the trick now is to associate the principal and credentials into org.jboss.security.SecurityAssociation using:

                    SecurityAssociation.setPrincipal()
                    SecurityAssociatoon.setCredentials()

                    so that things get propogated to the EJB container. now when you make a call to the EJB container, Principal and Credentials get propogated and will be used to authenticate you at this layer. You need to do this re-association on every web request, so save the principal and credentials away in the HttpSession and intercept every call and re-associate.

                    good luck :)

                    cheers
                    craig

                    • 7. Re: custom form action instead of j_security_check???
                      jleech

                      Tomcat has a FormAuthenticator class in there that handles the authentication. It only handles username and password. You can write your own tomcat authenticator class, configure your web application to use it in web.xml, and there's a tomcat configuration file somewhere where you name your new authentication type (the existing ones are BASIC, DIGEST, and FORM) and point it to your class.
                      Then you've got to deal with JBoss always wanting to reauthenticate using just a username and password. You can extend this as was suggested, but if the additional credentials you are using are time-based, like an RSA token, you will be hosed.
                      If you don't need to secure your EJBs, just the web pages, and you want to use JAAS, do yourself a favor and stop. Don't write a new tomcat authenticator, etc. Just write your JAAS module(s), your JSP's / servlets for the authentication form, and a Filter class to secure everything you apply the filter to.
                      Whichever approach you take, if your JAAS module has multiple callback steps (e.g. new pin mode for RSA tokens), the next hurdle you will face will be getting the JAAS authentication, which has to happen in a single thread, to play nice with your form. JAAS wasn't designed for authentication over the web.

                      • 8. Re: custom form action instead of j_security_check???
                        dmitry_ame

                        Thank you guys,

                        looks like I've got a enough to get me started...

                        • 9. Re: custom form action instead of j_security_check???
                          halset

                          I am in the middle of the problem with JBoss reauthentication using username/password and RSA-passwords.

                          The passwords does not work anymore after 60 seconds so this reauthentication is very bad.

                          Any idea on how to stop the reauthentication? Please!