Webapp Auth/Auth with Custom LoginModule Principals
gkushida Apr 11, 2006 9:13 PMI'm trying to port an existing web application from Tomcat (5.5.16) to JBoss (4.0.3rc1). This app uses an existing JAAS LoginModule, which uses custom User and Role principals. I am currently trying to get JBoss to propagate these custom Principal implementations to my webapp. The sticking point, I think, is that I don't know where to define the custom userClass and roleClass returned by my custom LoginModule.
In Tomcat, I had to upgrade to 5.5.16 to get this to work, so it's entirely possible that this will not work in the current JBoss version. My Tomcat server.xml has a (sanitized) Realm definition like this:
<Realm className="org.apache.catalina.realm.JAASRealm" debug="0" appName="FooLogin" userClassNames="com.foo.jaas.FooUser" roleClassNames="com.foo.jaas.FooRole" resourceName="FooRealm" useContextClassLoader="true"/>
As well as a jaas.config file:
FooLogin { com.foo.jaas.FooLoginModule required; };
I set up a similar configuration in JBoss: conf/foo-login-config.xml (loaded by deploy/foo-login-config-service.xml)
<application-policy name = "FooRealm"> <authentication> <login-module code = "com.foo.jaas.FooLoginModule" flag="required"/> </authentication> </application-policy>
But I am not sure how to indicate that JAAS should use my FooUser and FooRole classes. The closest thing I could find is here:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=45724&postdays=0&postorder=asc&start=10
Which sets a "principalClass" module-option for UsersRolesLoginModule (among other things):
<module-option name = "principalClass">org.jboss.test.security.ejb.CustomPrincipalImpl</module-option>
I've seen similar configurations in other posts, but they all use LoginModules that extend some JBoss login module (generally the database one). However, this won't work for me for several reasons:
- My LoginModule doesn't extend JBoss classes
- My custom User and Role classes are not the same class, although they are both Principals
Am I trying to do something that is just not possible?
When doing this in Tomcat, I had to upgrade to 5.5.16 to get the custom userClassNames and roleClassNames attributes in the Realm definition to actually work. It's possible that I'm running into the same thing with the bundled tomcat (5.5.9 I believe). But I'm not sure, because that particular bug was fixed in the org.apache.catalina.realm.JAASRealm implementation, which I don't think is in play here.
Any help would be appreciated, thanks?