3 Replies Latest reply on Oct 28, 2004 4:52 PM by starksm64

Questions about Custom Login Modules

minmay Oct 25, 2004 1:56 PM

Hello JBoss Community,

I'm in the middle of developing my own custom login
module for JBoss, due to unique security environments
within my organization.

I posted earlier to Beginner's Corner, but I realize
that this really isn't a beginner's question.

I implemented an extension of AbstractServerLoginModule.

I stepped through the code with my remote debugger.

I noticed that the username and passwords are stored
in the call back handler, not in the shared state map.

Then I look at the JBoss code on sourceforge cvs.

I'm afraid to use the UsernamePasswordLoginModule because
it has Strings for username and password in one method.

Is that secure?

Then I browse through the other classes, and it there seems to
be this notion of a shared state map that stores the username
and password. What is the purpose of that construct?
Isn't that a security hole? I am guessing that it is not, but I want
to know why.

Also, what's the purpose of isFirstPass?

Thank you.

-M

1. Re: Questions about Custom Login Modules

minmay Oct 25, 2004 4:50 PM (in response to minmay)

Also...

After further investigation of the AbstractServerLoginModule
class, the javadoc documentation for the class states that:

You may also wish to override

public boolean login() throws LoginException

In which case the last line of your login() method should be

return super.login();

How can that possibly be an accurate statement since
AbstractServerLoginModule.login() will return false unless
the identity and credentials are stored in the sharedStatemap,
and there also are no mechanisms to standardize the "firstPass"
feature that places the information in the sharedStatemap.

Are these accurate statements, or am I reading this all wrong?

I am beginning to think that super.login() should be the first
value in the login method, if called at all. Example:

Why would we need the useFirstPass feature?

What is it? What is the benefit?
Actions
2. Re: Questions about Custom Login Modules

leathurman Oct 26, 2004 6:47 AM (in response to minmay)

Hi Minmay.

I too noticed the discrepency regarding super.login. I actually made this the first call in my login module (subclass of abstractServerLoginModule). I notice that the UsernamePasswordLogin module also calls it first.

As far as my understyanding goes (which is not very far as we dont support this yet) the shared state map is for password stacking i.e when you have multiple modules and you want the username/password to be passed through. I guess the useFirstPass mean use the username and password from the first login module.

I currently dont stack them so its not a problem for me.

Regards
Lea.
Actions

3. Re: Questions about Custom Login Modules

starksm64 Oct 28, 2004 4:52 PM (in response to minmay)

This is the current javadoc for AbstractServerLoginModule so whatever your looking at is out of date.

 /** Looks for javax.security.auth.login.name and javax.security.auth.login.password
 values in the sharedState map if the useFirstPass option was true and returns
 true if they exist. If they do not or are null this method returns false.

 Note that subclasses that override the login method must set the loginOk
 ivar to true if the login succeeds in order for the commit phase to
 populate the Subject. This implementation sets loginOk to true if the
 login() method returns true, otherwise, it sets loginOk to false.
 */

Go to original post