-
1. Re: custom login module using AbstractServerLoginModule
ahardy66 Mar 15, 2004 4:17 AM (in response to ahardy66)I'm just wondering whether my problem could be down to the Principal class that I'm using.
I subclassed it to provide my own functionality on top of Principal. Could jbosssx be objecting to it? -
2. Re: custom login module using AbstractServerLoginModule
starksm64 Mar 15, 2004 7:12 PM (in response to ahardy66)The AbstractServerLoginModule.loginOk field must be set to true in order for commit to do anything as documented in the javadoc. The setting of the TRACE level is incorrect, use:
<category name="org.jboss.security.auth"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category>
-
3. Re: custom login module using AbstractServerLoginModule
ahardy66 Mar 16, 2004 8:25 AM (in response to ahardy66)I'm with you so far. I have logging on trace and I can see it all happening, and it succeeded, stone the crows.
BUT then having surmounted that hurdle, it fell at the next one. Tomcat threw a 403 access denied error on the protected pages.
So, the roles must be up the creek. I was using AbstractServerLoginModule.createGroup() to create my 'Roles' group, which puts a nestableGroup in the Subject, and tomcat can't handle it.
That is actually recommended by the javadoc for createGroup(), that I should use the method.
But I abandoned it and created a SimpleGroup instead - safely or not, I'm not sure. No doubt when I come to secure the EJB layer, it may come back to haunt me. Am I OK or am I still doing it wrong? -
4. Re: custom login module using AbstractServerLoginModule
ahardy66 Mar 16, 2004 10:06 AM (in response to ahardy66)Here's the code in my subclass:
/** * This is required by the parent class. It puts the gargantus role * objects which we fetched during login() into a group * for the parent class to commit. * @return group array containing the Roles group */ protected Group[] getRoleSets() throws LoginException { log.trace("getRoleSets() returning " + this.roles.toString()); Group groups[] = new Group[1]; Set principals = super.subject.getPrincipals(); //next line creates NestedGroup - tomcat doesn't see it //groups[0] = super.createGroup("Roles", principals); //next 2 lines instead of JBoss superclass: groups[0] = new SimpleGroup("Roles"); principals.add(groups[0]); for (int x = 0; x < roles.size(); x++) { GargantusRole role = (GargantusRole) this.roles.get(x); groups[0].addMember(new NestablePrincipal(role.getName())); } log.trace("adding our roles to subject"); return groups; }
I get the following trace from the security manager afterwards that confirms this: (when using super.createGroup(), the roles trace shows no roles)TRACE [org.jboss.security.plugins.JaasSecurityManager.GargantusRealm] updateCache, subject=Subject: Principal: GargantusUser: adam Principal: Roles(members:user,admin,manager)
-
5. Re: custom login module using AbstractServerLoginModule
ahardy66 Mar 19, 2004 9:37 AM (in response to ahardy66)It seems to work the way I have programmed it, which violates what the javadoc in the AbstractServerLoginModule class tells me to do.
Is the AbstractServerLoginModule wrong when it nests the Roles group within another nestable group?
I doesn't show up correctly in the logging - the log statement above is my implementation's output. When I don't override AbstractServerLoginModule's default roles method, then the logging shows no roles added.
There must be something wrong with it or my implementation. I don't see this as acceptable.
Adam -
6. Re: custom login module using AbstractServerLoginModule
ahardy66 Mar 21, 2004 6:16 PM (in response to ahardy66)Basically I am trying to establish whether this is a bug in the class, a deficiency in the documentation, or a bug in my code.
To summarise:
AbstractServerLoginModule.createGroup() creates Roles that tomcat cannot handle, leading to no roles being loaded for the user.