3 Replies Latest reply on Aug 16, 2002 11:32 AM by bratseth

Decoupling client from SecurityAssociation

ws_dev Aug 5, 2002 10:08 AM

Hi- I'm looking into configuring security between a java client application and a jboss server. I've been able to use a custom LoginModule from the client to authenticate the client user and establish a session (ie, use SecurityAssociation.setPrincipal()/setSubject() to have the user info sent to the server so it can be retrieved on the server).

However, I don't like the fact that my ClientModule is coupled to a jboss class, in this case org.jboss.security.SecurityAssociation. Am I missing something? Perhaps there is a different way to establish a user session. Or perhaps people don't worry about the coupling since LoginModule's are essentially essentially decoupled from the system via the auth.conf configuration file.

I'd be interested to hear what other people think of this.

Thanks!

1. Re: Decoupling client from SecurityAssociation

bratseth Aug 16, 2002 11:31 AM (in response to ws_dev)

I guess you are. This is one way to do it without:

1. Make a login configuration which tells JAAS to use
org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
which returns the configuration entry you want
(tha class name above, the constant REQUIRED and no options)
and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
at startup.

2. Create your own implementation of javax.security.auth.callback.CallbackHandler
to return the user name and password from wherever you obtain it.

3. Do
new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();
Actions
2. Re: Decoupling client from SecurityAssociation

bratseth Aug 16, 2002 11:32 AM (in response to ws_dev)

I guess you are. This is one way to do it without:

1. Make a login configuration which tells JAAS to use
org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
which returns the configuration entry you want
(tha class name above, the constant REQUIRED and no options)
and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
at startup.

2. Create your own implementation of javax.security.auth.callback.CallbackHandler
to return the user name and password from wherever you obtain it.

3. Do
new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();
Actions
3. Re: Decoupling client from SecurityAssociation

bratseth Aug 16, 2002 11:32 AM (in response to ws_dev)

I guess you are. This is one way to do it without:

1. Make a login configuration which tells JAAS to use
org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
which returns the configuration entry you want
(tha class name above, the constant REQUIRED and no options)
and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
at startup.

2. Create your own implementation of javax.security.auth.callback.CallbackHandler
to return the user name and password from wherever you obtain it.

3. Do
new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();
Actions

Go to original post