hillel,

I would be real interested in seeing how others answer this question. I do not think it can be done. However, one hack that just came up with would be to submit your username as say 'username@company'. Then extend the necessary login modules to parse the username.

later, cgriffith

There are two approaches to web security:
a) J2EE standard specified container based security.
b) Developer/company/application based security.

What you are asking is b). When a) is done, you are given portability.

JBoss (Tomcat internally) just provides the username/password based security as part of the FORM based authentication as specified by the servlet spec.

You can follow Chris's (j2ee_junkie) suggestion. But the main thing to remember is that what you are asking is not specified in any spec.

Anil,

Are you saying that when a Java EE standard spec. container based security is done it will allow for such adaptabliity?

cgriffith

A way to do this, starting 4.0.4.GA is to provide your own authenticator for FORM based authentication.

http://wiki.jboss.org/wiki/Wiki.jsp?page=ExternalizeTomcatAuthenticators

Your authenticator can weave in authentication to include the 3rd parameter, along with the standard authentication. Your authenticator will extend the FORM authenticator and will have to override the following method:
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/authenticator/AuthenticatorBase.html#authenticate(org.apache.catalina.connector.Request,%20org.apache.catalina.connector.Response,%20org.apache.catalina.deploy.LoginConfig)

Your 3rd parameter will be available in the Catalina Request object. Note that you will need to retain the standard form in your html/jsp page while having a custom parameter.

I have said enough. Maybe somebody else (Chris??) can expand on this.

If what I am saying is convoluted, do application based security.

Hi

This is the actual problem we are encountering. We are using Jaas for login to the web container and to the ejb container. I have used the DatabaseServerLoginModule without any changes up to now. The initial logon page causes the DatabaseServerLoginModule to be called and then the first call to an ejb causes the DatabaseServerLoginModule to be called a second time after which the caching kicks in. This all works fine.

Now we would like to add a third parameter (username, password, reference) into the login process. I have changed my callback handler to accomodate this and am using the ObjectCallback to hold the reference. I have changed the DatabaseServerLoginModule and UsernamePasswordLoginModule to accomodate the new parameter. The initial logon to the web container works fine but the second login call to the ejb container fails.

I am aware that the Login Modules from JBoss which I am using were only written to accomodate the username and password. As far as I can ascertain the reason that the second login fails are that the ClientLoginModule is not passing the third parameter, and the SecurityAssociationHandler puts the password into the ObjectCallback and not the reference which is what I want. I also don't know at this stage how to call another method in the SecurityAssocationHandler that will handle 3 parameters.

So my problem here seems to be that I can't get my third parameter through the login process. I have tried to add it to the Subject as a new Principal without success. I have also tried to add it to the sharedState without success.

So my questions are
Can I override the ClientLoginModule with a new one.
Can I override the SecurityAssociationHandler.
Can I easily configure security to use the new modules.
Does my approach make any sense.
Am I on the right track or am I tackling something I should leave alone.
Can I just set the third parameter by calling the SecurityAssociation and then override the SecurityAssociationHandler to handle the third parameter.

Hey Gang,

What Anil has started is correct. Extending an Authenticator can allow you to customize obtaining authentication data in Tomcat from a Request/Session. More problems pop up down the road however that make this almost impossible to do without modifing JBossSX extensively.

For example, your custom authenticator then needs to refer authentication/authorization (A/A) to a realm. Thus, the realm needs to be extended to account for additional authentication data. That said, the extended realm (which should extend org.jboss.web.tomcat.security.JBossSecurityMgrRealm) is just an interface to a security manager (usually the org.jboss.security.plugins.JAASSubjectSecurityManager) through the isValid(Principal principal, Object credential,Subject activeSubject) method call. So to include an addition authentication data item would require extending this class. I could go on about all the classes that would need to be changed to handle this, but I won't.

I was hoping (even though I have not taken the time to investigate this for myself) that the work Anil has done to design/develop the next generation of JBossSX (http://jira.jboss.com/jira/browse/JBAS-2525) to implement JSR-196 would allow for such adaptablility. Please say this is so Anil?

Back to the problem at hand...

I would suggest doing one of two things. First try to combine your extra data into either the username or the password fields. Another less attractive approach would be to create a custom LoginModule with a ThreadLocal variable that could be set by cusom Authenticator. If you would like more detail, let me know.

good luck and have a great day, cgriffith

Hey, I just realized something over a good bowl of oatmeal.

I overlooked something that would not work for my environment, but could help you hillel. You could extend the FormAuthenticator as Anil has stated. Then extend the JBossSecurityMgrRealm by the addition of anauthenticate(String username, Object credential) method. The credential could then be a custom object you create that has password and company field. Let me know if you need more detail, and sorry for overlooking this the first time.

later, cgriffith

"jrosenbl" wrote:
Hi

This is the actual problem we are encountering. We are using Jaas for login to the web container and to the ejb container. I have used the DatabaseServerLoginModule without any changes up to now. The initial logon page causes the DatabaseServerLoginModule to be called and then the first call to an ejb causes the DatabaseServerLoginModule to be called a second time after which the caching kicks in. This all works fine.

Now we would like to add a third parameter (username, password, reference) into the login process. I have changed my callback handler to accomodate this and am using the ObjectCallback to hold the reference. I have changed the DatabaseServerLoginModule and UsernamePasswordLoginModule to accomodate the new parameter. The initial logon to the web container works fine but the second login call to the ejb container fails.

I am aware that the Login Modules from JBoss which I am using were only written to accomodate the username and password. As far as I can ascertain the reason that the second login fails are that the ClientLoginModule is not passing the third parameter, and the SecurityAssociationHandler puts the password into the ObjectCallback and not the reference which is what I want. I also don't know at this stage how to call another method in the SecurityAssocationHandler that will handle 3 parameters.

So my problem here seems to be that I can't get my third parameter through the login process. I have tried to add it to the Subject as a new Principal without success. I have also tried to add it to the sharedState without success.

So my questions are
Can I override the ClientLoginModule with a new one.
Can I override the SecurityAssociationHandler.
Can I easily configure security to use the new modules.
Does my approach make any sense.
Am I on the right track or am I tackling something I should leave alone.
Can I just set the third parameter by calling the SecurityAssociation and then override the SecurityAssociationHandler to handle the third parameter.

We concatenated the username and the third parameter and it works quite nicely. I had to make minor changes to DatabaseServerLoginModule and the Util class to split the string and to pass the extra parameter to the sql. The one thing to watch for so far is the string returned from a getPrincipal call.

Not the most elegant solution but I think the simplest within out time constraints.

thanks guys
jonathan

Anil,

In your statements...

There are two approaches to web security:
a) J2EE standard specified container based security.
b) Developer/company/application based security

Why not just do your application based security?

"j2ee_junkie" wrote:
Anil,
what do you mean by application based security?