Integration of Custom Client and Server Login Modules
kearns Jul 17, 2006 10:41 AMObjective: to authenticate using a custom client login module and pass the subject, containing the credentials customer ID and NHS #, to a custom server login module. This does no authentication but simple maps the customer ID to a role in order to invoke a secured EJB.
How:
I have listed below 4 different approaches I used.
(1) Created the following components:
? Custom client login module (reference article: All that JASS):
ConsoleCallbackHandler
PassiveCallbackHandler
RdbmsCredential
RdbmsLoginModule
RdbmsPrinciple
? Custom server login module (reference article: Securing EJB Applications with Custom JBoss Login Modules) :
CustomServerLoginModule
? used JBoss client login module to bind subject.
? added RDBMS Login Module (custom client login module) to /example domain in login-conf.xml
? added CustomServerModule to security domain (secureBankDomain) for EJB application
extract from login-config.xml
<application-policy name = "Example">
<login-module code="com.jaas.RdbmsLoginModule" flag = "required">
<module-option name="url">jdbc:mysql://localhost/jaasdb</module-option>
<module-option name="usr">root</module-option>
<module-option name="pwd">steelbus581</module-option>
<module-option name="driver">com.mysql.jdbc.Driver</module-option>
<module-option name="debug">true</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<application-policy name = "SecureBankDomain">
<login-module code="bank.jaas.CustomServerLoginModule" flag = "required">
<module-option name="debug">true</module-option>
</login-module>
</application-policy>
Subsequently realised that the only the username and password handled by the call back is past to the server login module. Therefore this approach would not work.
(2) Pass the credential and principle in initial context e.g. Context.SECURITY_PRINCIPAL prior to getting a reference to the remote EJB.
HashTable props = new HashTable();
props.put( Context.SECURITY_PRINCIPAL,
SecurityAssociation.getPrincipal() );
props.put( Context.SECURITY_CREDENTIALS,
SecurityAssociation.getCredential() );
InitialContext initialContext = new InitialContext( props );
On invoking the server login method it fails as no identity, i.e. Principle, can be found
(3) Created a PrivilegedAction i.e. CallBankMgrGetCustData that would get the EJB reference and execute the method. This also fails as no identity can be found.
(4) Pushed credential and principle onto SecurityAssociation stack. However an error occurred as on the RdbmsPrincipal class could not be found ? no class loader. Then added com.bank.RdbmsCredential and RdbmsPrincipal to server/default/lib as jar. Still the customer server login module fails as no identity, i.e. Principle, can be found.
Question:
What have I not understood or not configured correctly. Or is what I am trying to do not possible. Any help would be appreciated.
References:
All That JASS: http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas_p.html
Writing Custom JAAS Login Modules. 21 Nov 2003. http://www.timfanelli.com/blog/item/custom_jaas_login_modules.html
Securing EJB Applications with Custom JBoss Login Modules. 21 Nov 2003 http://www.timfanelli.com/item/98