9 Replies Latest reply on Nov 26, 2004 12:13 PM by drpizza

    Custom LoginModule is rejected by jboss

    zsoltvincze

      I've written a custom LoginModule that extends javax.security.auth.spi.LoginModule.

      Now, I'm testing this by using it to authenticate the jms-console.

      I changed the relevant secion in login-config.xml so that my login module would be used.

      In the loginmodule's commit method I add a new Principal to the subject which is named as "JBossAdmin".

      When I access the console, my login module logs that the user is verified and that the JBossAdmin principal was added to the subject.

      So to me everything is as I think it should be but jboss still rejects the request with a
      "Access to the requested resource has been denied"
      message after I enter my credentials.

      Could somebody help to determine where the problem is?


      login-config.xml

      <application-policy name = "jmx-console">

      <login-module code="test.sec.TestLoginModule"
      flag = "required">
      </login-module>

      </application-policy>


        • 1. Re: Custom LoginModule is rejected by jboss
          zsoltvincze

          Problem solved. I had to modify the Commit method of my login module as follows:

          ************
          TestGroup roles = new TestGroup("Roles");

          TestPrincipal user = new TestPrincipal(username);

          roles.addMember(new TestPrincipal("JBossAdmin"));

          subject.getPrincipals().add(user);
          subject.getPrincipals().add(roles);
          ************
          Was I blind that I've never seen the need for the first line? It seemd to me that all materials only stated to have the role added as a principal to the subject's principals.

          Is the above based on standard j2ee or this is jboss specific?

          • 2. Re: Custom LoginModule is rejected by jboss

            I'm trying to create a custom Principal too.
            I must simply:
            1) write my new principal that implements Principal and java.io.Serializable
            2) override the AbstractServerLoginModule's commit() method in my new LoginModule with the lines specify in your post

            Right? Other steps needed? I must create a Group class too?

            Thanks fo any help!
            Gio

            • 3. Re: Custom LoginModule is rejected by jboss
              zsoltvincze

              Yes, in order to make jboss aware of the role, that was the only solution I could use. TheTestGroup class used in the example is a user class, so yes, you will have to code one too.

              However, now I'm going further and I'd like to use the roles in struts but it does not recognize them.

              I've checked the request.isUserInRole method and it returns false.

              Could someone from jboss comment on this? I mean, is it how it should be? Jboss is able to verify my credentials but the request does not know about it?

              • 4. Re: Custom LoginModule is rejected by jboss

                I'd like to write (maybe with someone with more knowledge) a "Custom Principal HOWTO"...

                • 5. Re: Custom LoginModule is rejected by jboss
                  starksm64

                  There are no requirements for the Subject defined in the J2EE specs. We have defined our Subject usage pattern in the online devel guide. The custom principal usage is illustated in the JBossSX wiki section:

                  http://www.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith

                  • 6. Re: Custom LoginModule is rejected by jboss
                    zsoltvincze

                    http://www.jboss.org/index.html?module=bb&op=viewtopic&t=54470

                    answers the question about struts and about request.isUserInRole

                    I'm still hesitant to believe that the roles has to be attached to a group that is specifically called "Roles"
                    If anybody could point to any JAAS/J2EE standards on this, I would very much appriciate.

                    • 7. Re: Custom LoginModule is rejected by jboss
                      zsoltvincze

                      Thanks Scott, I only saw your reply after posting mine.

                      Based on the reference, the way I read it, the requirement to specify roles
                      "Group roles = new SimpleGroup("Roles");"
                      is jboss specific.

                      • 8. Re: Custom LoginModule is rejected by jboss
                        starksm64

                        There is no standard that defines how to use a JAAS Subject for authorization prior to J2EE 1.4 so jboss defined a mechanism that uses a java.security.acl.Group named 'Roles' as the location for the declarative roles. J2EE 1.4 defines a new JACC permission based contract for specifying how to delegate the authorization checks. Support for this exists in jboss-4.0.x.

                        • 9. 3811897
                          drpizza

                           

                          J2EE 1.4 defines a new JACC permission based contract for specifying how to delegate the authorization checks. Support for this exists in jboss-4.0.x.

                          How does one use this? I've read all I can find about JACC (the spec, the JBoss wiki, etc.), but I'm still frankly nonplussed.