LDAP Login Module (Keberos) Help
cbuckley Mar 4, 2004 12:55 PMI'm flat out stuck. I can get the DatabaseServerLoginModule to work but, a Ldap Login Module is getting me. I have tried a number of things and it's just not working for me. Can someone shed some light on this subject for me. Here is what I am trying to do, I want a LoginModule just like the DatabaseServerLoginModule or the UsersRolesLoginModule, however I want to authenticate using my Domain Controller. I have written java code that can stand alone and perform this as well as a session bean that can perform this authentication, but I want Jboss/tomcat to do it to protect my web app. I have tried making a Login Module like such:
package intuinet.security.auth.spi;
import intuinet.callback.UpstreamCallbackHandler;
import java.security.acl.Group;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
/**
* @author cbuckley
*
*/
public class Kbr5ServerLoginModule extends UsernamePasswordLoginModule {
private String realm;
private String kdc;
protected String getUsersPassword() throws LoginException {
return getUsersPassword();//Does this get handed off? Or is this my responsibility to obtain this? If so how do I do it with LDAP I can't query for a password? }
protected Group[] getRoleSets() throws LoginException {
HashMap setsMap = new HashMap();
String groupName = "Roles";//Role Group
String name = "Echo";//Role
Group group = new SimpleGroup(groupName);
group.addMember(new SimplePrincipal(name));
Group[] roles = new Group[1];
roles[0] = group;
setsMap.values().toArray(roles);
return roles;
}
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map sharedState,
Map configOptions) {
super.initialize(subject, callbackHandler, sharedState, configOptions);
realm = (String) configOptions.get("kbr5Realm");
kdc = (String) configOptions.get("kbr5Kdc");
//Setting system variables....
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm",realm );
p.setProperty("java.security.krb5.kdc", kdc);
System.setProperties(p);
}
public boolean login() throws LoginException {
LoginContext lc = null;
boolean valid = false;
UpstreamCallbackHandler callback = new UpstreamCallbackHandler(getUsername(), getUsersPassword());
try {
lc = new LoginContext("domain-contoller", callback);
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. Security Exception"
+ se.getMessage());
}
try {
// attempt authentication
lc.login();
valid = true;
//Next we would want to associate roles to the Subject.
Iterator itr = lc.getSubject().getPrincipals().iterator();
while(itr.hasNext())
System.err.println("Principal "+itr.next().toString());
} catch (LoginException le) {
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
}
return valid;
}
}
and then including the following application-policies in my login-config.xml
<application-policy name = "domain-contoller">
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag = "required" />
</application-policy>
<application-policy name = "upstream">
<login-module code="intuinet.security.auth.spi.Krb5ServerLoginModule"
flag = "required" />
<module-option name = "kbr5Realm">upstream.cutthroatcom.com</module-option>
<module-option name = "kbr5Kdc">madison.upstream.cutthroatcom.com</module-option>
</application-policy>
the thought here was that I would implement my own login() method and would actually use the "domain-controller" policy to require com.sun.security.auth.module.Krb5LoginModule and I would use this in my LoginContext, well it doesn't work and furthermore I can't debug because nothing will print out. I don't get it. Oh yeah one more thing right now I have the code packaged in a jar with a ejb: is this bad? shoud I jar the "LoginModule" by itself and put it in the lib directory?
thanks for any help on this one.