5 Replies Latest reply on May 20, 2003 2:15 AM by halset

    Custom CallbackHandler?

    hezekiel
    hezekiel May 16, 2003 8:12 AM

      I've tried to figure a way to transfer more information in login process than just the username and password. (E.g. the classic case of limiting the number of simultaneous logins depending on the user's location or some other principal)

      The logical solution would be to implement
      1. custom CallbackHandler impl. in client side
      2. custom Callback impl. for transferring the data
      3. Deriving custom LoginModule from AbstractServerLoginModule where the login method would give this 'extra' Callback impl. for handler to handle.

      Fairly decent solution?

      Why this doesn't work?! Because the SecurityAssociationHandler doesn't allow any extra Callbacks. The handle method checks if the callback is of type SecurityAssociationCallback, ObjectCallback, NameCallback or PasswordCallback. Any other Callback impl. in the callback array will give you UnsupportedCallbackException.

      Since the SecurityAssociationHandler is not the only entity handling these Callbacks shouldn't it just ignore the unrecognized callbacks. What harm does unrecognized callback cause that the whole login process fails if there's an unknown callback in the array?

      If someone has better solution (Scott?) please let me know. I'm considering building the Jboss with this callback cheking commented out.

      • 4235 Views
      • Tags:
        • 1. Re: Custom CallbackHandler?
          hezekiel
          hezekiel May 16, 2003 10:22 AM (in response to hezekiel)

          Didn't help. Apparently the extra callbacks given to the handler are not automagically transferred between client and server even though the 'implements Serializable' would hint so...

          Aarrgh! I just need to send a little extra across. How hard can that be?

            • Actions
          • 2. Re: Custom CallbackHandler?
            halset
            halset May 19, 2003 7:41 AM (in response to hezekiel)

            I want to do the same thing with jboss+tomcat. How do you specify the classname of the custom CallbackHandler?

              • Actions
            • 3. Re: Custom CallbackHandler?
              halset
              halset May 19, 2003 7:42 AM (in response to hezekiel)

              I want to do the same thing with jboss+tomcat. How do you specify the custom callbackhandler?

                • Actions
              • 4. Re: Custom CallbackHandler?
                bstansberry May 19, 2003 8:59 PM (in response to hezekiel)

                The JaasSecurityManagerService MBean has a configurable attribute "CallbackHandlerClassName". This MBean is configured in the server/.../conf/jboss-service.xml file. Find the section on the JaasSecurityManager service (about 1/2 way down) and add a tag like the following:


                my.own.CallbackHandler


                Note that this CallbackHandler will now be invoked for all server-side logins.

                It would be nice if this could be added as an config option for each security realm, rather than just as a global option for the security service.

                Best,
                Brian

                  • Actions
                • 5. Re: Custom CallbackHandler?
                  halset
                  halset May 20, 2003 2:15 AM (in response to hezekiel)

                  can a custom callbackhandler be used to make the loginmodule get info from the servletcontainer about current sessionId or number of sessions?

                    • Actions