0 Replies Latest reply on May 9, 2005 10:06 AM by optimusprime

    Problems with JAAS

    optimusprime

      Hello there! Well I'm trying to get to use a custom authentication method. I read the JAAS developer guide, as well LoginModule Developer guide. I have a custom LoginModule that extends UserNamePasswordLoginModule. My "solution" when used combined with j_security_check works nicely.
      The problem is I must have a more fine grained control, something that j_security_check won't provide. One of my requisites is : if password is expired redirect to a change password screen.
      Ok, as my solution works Ok with j_security_check I don't believe my problem lies within the LoginModule itself.
      So I designed a Pojo that is accessed by my SessionFaçade that do the trick. here's a pice of the code:


      Principal user = new SimplePrincipal(username);
       SecurityAssociationHandler handler = new SecurityAssociationHandler();
       handler.setSecurityInfo(user,password.toCharArray());
       Usuario usuario = null;
       LookupManager lookup = new LookupManager();
       try {
       LoginContext lc = new LoginContext("MyLoginModule",(CallbackHandler)handler);
       lc.login();
       Subject subject = lc.getSubject();
       Set principals = subject.getPrincipals();
       PrivilegedAction action = new LoginAction();
       Subject.doAs(subject,action);
       usuario = new Usuario();
       usuario.setLogin(username);
       usuario = lookup.getUsuarioPorLogin(usuario);
       usuario.setPermissoes(lookup.getPermissoesPorUsuario(usuario));
       } catch (LoginException e) {
       if(e instanceof LoginFailedException){
       throw (LoginFailedException)e;
       }else{
       throw new RuntimeException(e);
       }
      
       } catch (MyException e) {
       throw new LoginFailedException(e);
       }
      


      Ok, so I get a handler, set the username and password on it. Pass it to my LoginModule and call Login on my LoginContext.
      LoginOk is set to true, so everthing is Ok right?
      Well. As Ed Roman said in his 15 steps to JAAS, the last is step is to call a privileged action and after that the security constraints are propagated across the conteiner. Well this is NOT happening. The user is no authenticated, it is re-sent to the login screen over and over.
      Could someone plese give me some guidelines on it. Has someone used it without j_security_check?

      Here's some info:

      web.xml:
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>JSP</web-resource-name>
       <description>Arquivos JSP</description>
       <url-pattern>*.jsp</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>usuarios permitidos</description>
       <role-name>Administrador</role-name>
       </auth-constraint>
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
      </security-constraint>
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Actions</web-resource-name>
       <description>Actions</description>
       <url-pattern>*.do</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>usuarios permitidos</description>
       <role-name>Administrador</role-name>
       </auth-constraint>
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
      </security-constraint>
      <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>MyLoginModule</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
       </form-login-config>
      </login-config>
      


      jboss-web.xml

      <security-domain>java:/jaas/MyLoginModule</security-domain>
      

      Login.java (Servlet)
       protected void doPost(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException {
       String username = request.getParameter("login");
       String password = request.getParameter("password");
       RequestDispatcher dispatcher = null;
       ControlarAcessoSistemaDelegate delegate = new ControlarAcessoSistemaDelegate();
       HttpSession session = request.getSession();
       try {
       Usuario usuario = delegate.autenticar(username,password);
       session.setAttribute("usuario",usuario);
       PermissionsAdapter permissions = new MyPermissionsAdapter((MenuRepository)session.getServletContext().getAttribute(MenuRepository.MENU_REPOSITORY_KEY),usuario);
       session.setAttribute("permissions",permissions);
       dispatcher = request.getRequestDispatcher("/xyz/controlaracessosistema/login.do");
       } catch (LoginFailedException e) {
       dispatcher = request.getRequestDispatcher("/login.jsp");
       }
       dispatcher.forward(request,response);
       }
      

      login-config.xml
       <application-policy name = "MyLoginModule">
       <authentication>
       <login-module code="com.xyz.abc.autenticacao.MyLoginModule" flag="required">
       <module-option name="dsJndiName">java:MsSqlServerDS</module-option>
       <module-option name="usersQuery">select usua_tx_senha from usuario where usua_nm_login_usu = ?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
      


      Any help would be very, very appreciated