12 Replies Latest reply on Nov 13, 2006 9:48 AM by jcollins914

    Attempt to get JBoss to call my custom login module

    jcollins914

      Hello JBoss enthusiasts,

      I am new to JBoss, and am attempting to convince it to respect my custom login module through its implementation of JAAS.

      I have read MANY web sites/forum entries on how to do this, but am sadly missing something(s) about how to complete the endeavor.

      I am developing in Eclipse, and my project consists of an Enterprise .ear file project, encompassing a Dynamic Web Module .war file project.

      I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml, <war-file-project>/WEB-INF/web.xml, and <jboss.install>/server/default/deploy/conf/login-config.xml. Please see below for details of each.


      I have coded up a custom login module, extending AbstractServerLoginModule, which essentially just hard-codes a user name, (for now, I will doll it up when I can get it called), and adds a role called "Authenticated".

      I added the following content to jboss-web.xml, and sprinkled it into <war-file-project>/WEB-INF, <war-file-project>/META-INF, and <ear-file-project>/MEATA-INF,

      trying to get it to have an impact. I think/guess it belongs in the <war-file-project>/WEB-INF along with web.xml, but I could not find this hint anywhere.


      <?xml version="1.0" encoding="UTF-8"?>
      <!-- The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the Jboss specific JNDI name
      used in gehc-login-confix.xml when JBoss deploys the loginModuld as a managed service.
      The pattern here is that JBoss prefixes its JAAS JNDI names with java:/jaas-->
      <jboss-web>
      <security-domain>java:/jaas/GEHCSecurityRealm</security-domain>
      </jboss-web>


      I added the following constructs to web.xml:


      <security-constraint>
      <web-resource-collection>
      <web-resource-name>GEHCSecurityRealm</web-resource-name>
      Protects CPWebService URL calls
      <!-- <url-pattern>/CPWebService</url-pattern> -->
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <!-- Uncommenting auth-constraint causes login to fail, uncomment when able to call custom login module.
      <auth-constraint>
      <role-name>Authenticated</role-name>
      </auth-constraint>
      -->
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>GEHCSecurityRealm</realm-name> <!-- Could this be how I convince it to call my GEHCLoginModule, --apparently not -->
      </login-config>

      <security-role>
      The role required to access /CPWebService calls
      <role-name>Authenticated</role-name>
      </security-role>


      I added the following construct to login-conf.xml:

      <!-- GEHC Custom authentication login module configuration -->
      <application-policy name="GEHCSecurityRealm">

      <login-module code="com.gehcit.cp.security.GEHCLoginModule" flag="required"/>

      </application-policy>


      I enabled security trace/debug logging by adding the following lines to <jboss-install>/server/default/conf/log4j.xml: (The appender-ref elements are my attempt to get the output to come to the console, although it still only ends up in server.log; :-( Good enough).



      <appender-ref ref="CONSOLE"/>



      <appender-ref ref="CONSOLE"/>



      <appender-ref ref="CONSOLE"/>


      So... What I had HOPED to accomplish with the aforementioned configuration, is that when I sent a request to this web service, with a url like /CPWebService, (although it should happen for any url according to my <security-constraint>'s <url-pattern>, that JBoss would delegate the login to my custom login module, as indicated in the login-conf.xml, because the jboss-web.xml listed the realm it covers as the security realm for this "web application". I'm not 100% confident in any of this, as it is all kinda heresay, gathered from the JBoss documentation, and random input from forums and a several day google-fest. I am open to any & all suggestions towards a solution. i.e. Please :-)

      The application server starts up without any security complaints. However, when I run my test call to a method under http://localhost:8080/CentricityPractice/CPWebService, it produces the following output:


      2006-11-09 15:57:03,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
      2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
      2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
      2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
      2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
      2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass


      It would appear that it is logging in just fine, ... I just have no idea what module it's using, is there any way to tell?

      When I uncomment the auth-constraint in the security-constraint in web.xml, the log produces the following content:


      2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1163105605191 sessioncount 0
      2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
      2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear, server=true


      This failure makes sense to me, because whatever user it is automatically assuming is relevant hasn't been gifted with the "Authenticated" role. Incidentally, if it was calling my login module, the following method would grant the user with this role:


      public Group[] getRoleSets() {

      // Our security at this level (authentication) isn't role based, so we have a simple fudge role to
      // satisfy the requirement of JBoss having role based authentiacation.

      log.debug("!!!!!!!!!!!!!!!!!!!!!!!!getRoleSets !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");

      Group rolesGroup = new SimpleGroup("Roles");

      rolesGroup.addMember(new SimplePrincipal("Authenticated"));

      return new Group[] {rolesGroup};
      }



      Does anyone know what I'm missing, care to co-miserate, anything?

        • 1. Re: Attempt to get JBoss to call my custom login module
          jcollins914

          I'm posting again, because it blurred my code samples beyond worth when I wrapped them in code tags... (Sorry about that):

          Hello JBoss enthusiasts,

          I am new to JBoss, and am attempting to convince it to respect my custom login module through its implementation of JAAS.

          I have read MANY web sites/forum entries on how to do this, but am sadly missing something(s) about how to complete the endeavor.

          I am developing in Eclipse, and my project consists of an Enterprise .ear file project, encompassing a Dynamic Web Module .war file project.

          I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml, <war-file-project>/WEB-INF/web.xml,

          and<jboss.install>/server/default/deploy/conf/login-config.xml. Please see below for details of each.


          I have coded up a custom login module, extending AbstractServerLoginModule, which essentially just hard-codes a user name, (for now, I will doll it up when I can get it called), and adds a role called "Authenticated".

          I added the following content to jboss-web.xml, and sprinkled it into <war-file-project>/WEB-INF, <war-file-project>/META-INF, and <ear-file-project>/MEATA-INF,

          trying to get it to have an impact. I think/guess it belongs in the <war-file-project>/WEB-INF along with web.xml, but I could not find this hint anywhere.


          <?xml version="1.0" encoding="UTF-8"?>
          <!-- The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the Jboss specific JNDI name
          used in gehc-login-confix.xml when JBoss deploys the loginModuld as a managed service.
          The pattern here is that JBoss prefixes its JAAS JNDI names with java:/jaas-->
          <jboss-web>
          <security-domain>java:/jaas/GEHCSecurityRealm</security-domain>
          </jboss-web>


          I added the following constructs to web.xml:


          <security-constraint>
          <web-resource-collection>
          <web-resource-name>GEHCSecurityRealm</web-resource-name>
          Protects CPWebService URL calls
          <!-- <url-pattern>/CPWebService</url-pattern> -->
          <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <!-- Uncommenting auth-constraint causes login to fail, uncomment when able to call custom login module.
          <auth-constraint>
          <role-name>Authenticated</role-name>
          </auth-constraint>
          -->
          </security-constraint>

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>GEHCSecurityRealm</realm-name> <!-- Could this be how I convince it to call my GEHCLoginModule, --apparently not -->
          </login-config>

          <security-role>
          The role required to access /CPWebService calls
          <role-name>Authenticated</role-name>
          </security-role>


          I added the following construct to login-conf.xml:

          <!-- GEHC Custom authentication login module configuration -->
          <application-policy name="GEHCSecurityRealm">

          <login-module code="com.gehcit.cp.security.GEHCLoginModule" flag="required"/>

          </application-policy>


          I enabled security trace/debug logging by adding the following lines to <jboss-install>/server/default/conf/log4j.xml: (The appender-ref elements are my attempt

          to get the output to come to the console, although it still only ends up in server.log; :-( Good enough).



          <appender-ref ref="CONSOLE"/>



          <appender-ref ref="CONSOLE"/>



          <appender-ref ref="CONSOLE"/>


          So... What I had HOPED to accomplish with the aforementioned configuration, is that when I sent a request to this web service, with a url like /CPWebService,

          (although it should happen for any url according to my <security-constraint>'s <url-pattern>, that JBoss would delegate the login to my custom login module, as

          indicated in the login-conf.xml, because the jboss-web.xml listed the realm it covers as the security realm for this "web application". I'm not 100% confident in any of this, as it is all kinda heresay, gathered from the JBoss documentation, and random input from forums and a several day google-fest. I am open to any & all suggestions towards a solution. i.e. Please :-)

          The application server starts up without any security complaints. However, when I run my test call to a method under

          http://localhost:8080/CentricityPractice/CPWebService, it produces the following output:


          2006-11-09 15:57:03,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->

          true
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->

          true
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
          2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
          2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
          2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
          2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
          2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
          2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass


          It would appear that it is logging in just fine, ... I just have no idea what module it's using, is there any way to tell?

          When I uncomment the auth-constraint in the security-constraint in web.xml, the log produces the following content:


          2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1163105605191 sessioncount 0
          2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->

          true
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->

          true
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
          2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear, server=true


          This failure makes sense to me, because whatever user it is automatically assuming hasn't been gifted with the "Authenticated" role. Incidentally, if it was

          calling my login module, the following method would grant the user with this role:


          public Group[] getRoleSets() {

          // Our security at this level (authentication) isn't role based, so we have a simple fudge role to

          // satisfy the requirement of JBoss having role based authentiacation.

          log.debug("!!!!!!!!!!!!!!!!!!!!!!!! getRoleSets !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");

          Group rolesGroup = new SimpleGroup("Roles");

          rolesGroup.addMember(new SimplePrincipal("Authenticated"));


          return new Group[] {rolesGroup};

          }



          Does anyone know what I'm missing, care to co-miserate, anything?

          • 2. Further details, and one refinement...
            jcollins914

            Upon further reviewing the JBoss Wiki, I was able to confirm that the jboss-web.xml file belongs in the WEB-INF directory. I've removed the redundant copies from the file.

            It occured to me that I should mention that I am NOT trying to secure any EJB's, jsp's, or html's, but rather, just one method, called processMessage, that is offered up through the web service available at the url which conforms to the form /CPWebService by use of JBossWS. Much of the documentation I've found takes steps towards securing ejb's, and has thus seemed to trail off just when I need it most. Hopefully this will provide the qualified reader a crucial clue. I haven't been able to find anyone suggesting a way so specifically secure web method(s). Perhaps I am attempting the impossible? I suspect not, but rather that I have just not been able to unearch the appropriate hint.

            Also, I'm not sure why the forum omitted portions of my log4j.xml code snippet, but I'm confident that's correct. I obtained it from Q4 of the JBoss FAQ that is VERY frequently pointed to in this particular branch of the forums.

            Thanks for your consideration of this bump in my road.

            • 3. Re: Attempt to get JBoss to call my custom login module
              jaikiran

              What's the end-point of your webservice? Is it a EJB? If yes then you will have to add the security-domain entry to the jboss.xml and NOT jboss-web.xml. More details can be found at:

              http://labs.jboss.com/portal/jbossws/user-guide/en/html/secure-ejb.html

              Let us know if this is not what you were looking for

              • 4. Re: Attempt to get JBoss to call my custom login module
                jaikiran

                 

                "jaikiran" wrote:
                you will have to add the security-domain entry to the jboss.xml and NOT jboss-web.xml.


                The jboss.xml will be present in the META-INF folder of the ejb jar which contains the endpoint of the webservice

                • 5. Re: Attempt to get JBoss to call my custom login module
                  jcollins914

                  Thanks jaikiran.

                  Incidentally, I read your entire blog as part of my research, since you'd answered some questions on this stuff in the past... My answer wasn't there, but I did find some interesting tidbits, and have bookmarked it for future reference. Don't go changing just to please me.

                  My endpoint(s) are not EJB's, but rather methods exposed through JBoss's implementation of JAX-WS (JBossWS). An example of one such method is "processMessage()".

                  The web service is exposed as defined in this fragment of my web.xml file (JBossWS dictates the servlet declaration strategy for the web services):


                  <servlet-name>CPWebService</servlet-name>
                  <display-name>CPWebService</display-name>
                  JAX-WS endpoint - CPWebService
                  <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class>
                  <load-on-startup>1</load-on-startup>
                  <security-role-ref>
                  <role-name>Authenticated</role-name>
                  <role-link>Authenticated</role-link>
                  </security-role-ref>


                  <servlet-mapping>
                  <servlet-name>CPWebService</servlet-name>
                  <url-pattern>/CPWebService</url-pattern>
                  </servlet-mapping>


                  The method resides in CPWebServiceImpl.java, and appears as follows (complete with annotations):

                  @WebMethod
                  @WebResult(name = "processMessageReturn", targetNamespace = "http://ws.cp.gehcit.com")
                  @RequestWrapper(localName = "processMessage", targetNamespace = "http://ws.cp.gehcit.com", className = "com.gehcit.cp.ws.ProcessMessage")
                  @ResponseWrapper(localName = "processMessageResponse", targetNamespace = "http://ws.cp.gehcit.com", className = "com.gehcit.cp.ws.ProcessMessageResponse")
                  public String processMessage(
                  @WebParam(name = "xmlMessage", targetNamespace = "http://ws.cp.gehcit.com")
                  String xmlMessage) throws ProcessMessageFaultMsg {

                  MessageProcessor mp = new MessageProcessor();
                  try {
                  return mp.doMessage(xmlMessage);

                  } catch (Exception e) {
                  log.error(e, e);
                  ProcessMessageFaultMsg pmfm = new ProcessMessageFaultMsg(
                  xmlMessage, null, e);

                  throw pmfm;
                  }
                  }

                  These are the abbreviated wsdl fragments that pertains to this method is as follows:

                  <wsdl:definitions targetNamespace="http://ws.cp.gehcit.com"
                  xmlns:apachesoap="http://xml.apache.org/xml-soap"
                  xmlns:impl="http://ws.cp.gehcit.com"
                  xmlns:intf="http://ws.cp.gehcit.com"
                  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                  xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
                  xmlns:tns="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:xsd="http://www.w3.org/2001/XMLSchema">


                  <wsdl:types>

                  ...























                  ...
                  </wsdl:types>

                  ...

                  <wsdl:message name="processMessageRequest">
                  <wsdl:part element="impl:processMessage" name="parameters" />
                  </wsdl:message>

                  <wsdl:message name="processMessageResponse">

                  <wsdl:part element="impl:processMessageResponse"
                  name="parameters" />
                  </wsdl:message>

                  <wsdl:message name="processMessage_faultMsg">
                  <wsdl:part name="fault"element="impl:processMessage_fault">
                  </wsdl:part>
                  </wsdl:message>

                  <wsdl:portType name="CPWebService">
                  <wsdl:operation name="processMessage">
                  <wsdl:input message="impl:processMessageRequest" name="processMessageRequest" />
                  <wsdl:output message="impl:processMessageResponse" name="processMessageResponse" />
                  <wsdl:fault message="impl:processMessage_faultMsg" name="processMessageFault" />
                  </wsdl:operation>
                  </wsdl:portType>

                  <wsdl:binding name="CPWebServiceSoapBinding" type="impl:CPWebService">
                  <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />

                  <wsdl:operation name="processMessage">
                  <wsdlsoap:operation soapAction="" />
                  <wsdl:input name="processMessageRequest">
                  <wsdlsoap:body use="literal" />
                  </wsdl:input>
                  <wsdl:output name="processMessageResponse">
                  <wsdlsoap:body use="literal" />
                  </wsdl:output>
                  <wsdl:fault name="processMessageFault">
                  <wsdlsoap:fault name="processMessageFault" use="literal" />
                  </wsdl:fault>
                  </wsdl:operation>
                  </wsdl:binding>

                  <wsdl:service name="CPWebServiceService">
                  <wsdl:port binding="impl:CPWebServiceSoapBinding" name="CPWebService">
                  <wsdlsoap:address location="http://localhost:8080/CentricityPractice/services/CPWebService" />
                  </wsdl:port>
                  </wsdl:service>

                  </wsdl:definitions>

                  Thanks again, and please do let me know if I can provide you w/ any other information.
                  Jeff

                  • 6. Re: Attempt to get JBoss to call my custom login module
                    jcollins914

                    I'm learning...

                    It seems if you surround a chunk of content with ellipses, as in the <wsdl:types> block above, it makes for the content go away... Too bad that doesn't work in other venues, like with the trash, leaves in the yard, etc.

                    Here is the content that was there before:


                    ...

























                    My apologies for the non-brevity, but I want to be as clear as I can. Thanks again.

                    • 7. Re: Attempt to get JBoss to call my custom login module
                      jcollins914

                      OK, it rooked me again, (I'm learning slowly)... I notice that if you view-->source, you can see the content I intended to be present, (in both places where there is a visible void instead of meaningful content. Is there a pattern as to why? Is it within my control to prevent this awkwardness?

                      • 8. Re: Attempt to get JBoss to call my custom login module
                        bmcgovern

                        jcollins. I feel your pain in that most of the docs im reading on SSO are specific to EJB set ups. I don't think I can offer you any help in your problem, but i do get the distinct feeling that you are farther along in fixing your problem than I am in mine and hopefully you, or someone paying attention to this thread can help me.

                        I've got a jboss portal and a separate webapp running on the same host and I want to set up Single sign on for both. The webapp has its own data store and user base. The portal comes setup by default with its own userbase and roles etc. I know its gotta be jaas, and i know I probably have to come up with my own auth module but i have no idea how to integrate it and no doc seems to speak to the first timer. I need to know pretty much exactly what to put in various xmls.. how to call the auth, what to do with jsps, how to handle exceptions .. the whole nine and im stuck. Can anyone help?

                        Heres the detailed thread with my problem's backstory.

                        http://jboss.org/index.html?module=bb&op=viewtopic&t=94522

                        • 9. Re: Attempt to get JBoss to call my custom login module
                          jaikiran

                           

                          OK, it rooked me again, (I'm learning slowly)..


                          You have the "Code" button which you can use while posting to wrap those contents in a code block to avoid the mess.

                          jcollins914, i havent used webservices before and dont have much knowledge about them. However with whatever information you have provided so far, i have been able to figure out that you have exposed your webservice methods as a servlet which you have defined in the web.xml. Now you have secured this servlet using BASIC authentication and a custom login module. Apart from the webservice part this appears to be an attempt to secure the servlet. It should not matter that the servlet is being used by webservice. Am i right?

                          If yes, then when you type in the URL: http://localhost:8080/CentricityPractice/CPWebService do you see the pop up asking for user name and password(since you are using BASIC authentication)?
                          Also, have you written any debug log messages in your own custom login module so as to figure out whether the control has been forwarded to it?


                          • 10. Re: Attempt to get JBoss to call my custom login module
                            jcollins914

                             

                            "bmcgovern" wrote:
                            jcollins. I feel your pain in that most of the docs im reading on SSO are specific to EJB set ups. I don't think I can offer you any help in your problem, but i do get the distinct feeling that you are farther along in fixing your problem than I am in mine and hopefully you, or someone paying attention to this thread can help me.


                            Hi bmcgovern. I haven't been able to get any JBoss security configuration figured out yet. I have read a lot, and am certainly trying, losing sleep, etc., but as of yet, my knowledge is all theoretical. I read over your forum in hopes that I could help in some way, but it seems to me you are further along than I. :-( I have compiled a list of resources I used to bring myself up to to my current turtle speed on some of the web security details... in the event you or anyone else reading might find them of use. If anyone has any other suggestions, please do share, I would love to read them as well.

                            JBoss Chapter 8 (security on JBoss) :
                            http://docs.jboss.org/jbossas/jboss4guide/r2/html/ch8.chapter.html

                            Some resources that helped me to begin to get a grip on JBoss's implementation of JAAS:

                            JAAS documentation home: http://java.sun.com/products/jaas/reference/docs/index.html
                            JAAS Authentication tutorial: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
                            JAAS Authorization tutorial: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html
                            An explanation for use of JBoss's BaseCertLoginModule: http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule
                            A site that does a (seemingly) thorough job of explaining how to secure an EJB: http://www.csd.abdn.ac.uk/~bscharla/teaching/mtp_software/jboss/secureJBoss.shtml
                            An HP offering that explains how to secure a web app in jboss, --but of course also diverts off to focus on EJB's: http://devresource.hp.com/drc/technical_papers/jaas_jboss/index.jsp
                            http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfiguringAJavaSecurityManager
                            Makes it sound so easy: http://wiki.jboss.org/wiki/Wiki.jsp?page=CreatingACustomLoginModule

                            Some resource that helped me to begin to get a grip on WS-Security:

                            http://www.windowsitlibrary.com/Content/1219/06/1.html
                            http://www.oracle.com/technology/tech/java/newsletter/articles/wsaudit/ws_audit.html
                            http://www-128.ibm.com/developerworks/webservices/library/ws-security.html
                            http://wiki.jboss.org/wiki/Wiki.jsp?page=WSSecurity

                            Some SAML stuff:

                            http://en.wikipedia.org/wiki/SAML
                            http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=securityhttp://xml.coverpages.org/saml.html
                            http://xml.coverpages.org/saml.html
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf
                            http://www.onjava.com/pub/a/onjava/2005/02/09/wssecurity.html

                            A couple of sun tutorials, that provide good information, but be careful, not all of it is applicable to JBoss implementations:

                            http://java.sun.com/javaee/5/docs/tutorial/doc/index.html
                            http://java.sun.com/webservices/docs/2.0/tutorial/doc/

                            Hope something here helps,
                            Jeff



                            • 11. Re: Attempt to get JBoss to call my custom login module
                              jcollins914

                               

                              "bmcgovern" wrote:
                              jcollins. I feel your pain in that most of the docs im reading on SSO are specific to EJB set ups. I don't think I can offer you any help in your problem, but i do get the distinct feeling that you are farther along in fixing your problem than I am in mine and hopefully you, or someone paying attention to this thread can help me.


                              Hi bmcgovern. I haven't been able to get any JBoss security configuration figured out yet. I have read a lot, and am certainly trying, losing sleep, etc., but as of yet, my knowledge is all theoretical. I read over your forum in hopes that I could help in some way, but it seems to me you are further along than I. :-( I have compiled a list of resources I used to bring myself up to to my current turtle speed on some of the web security details... in the event you or anyone else reading might find them of use. If anyone has any other suggestions, please do share, I would love to read them as well.

                              JBoss Chapter 8 (security on JBoss) :
                              http://docs.jboss.org/jbossas/jboss4guide/r2/html/ch8.chapter.html

                              Some resources that helped me to begin to get a grip on JBoss's implementation of JAAS:

                              JAAS documentation home: http://java.sun.com/products/jaas/reference/docs/index.html
                              JAAS Authentication tutorial: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
                              JAAS Authorization tutorial: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html
                              An explanation for use of JBoss's BaseCertLoginModule: http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule
                              A site that does a (seemingly) thorough job of explaining how to secure an EJB: http://www.csd.abdn.ac.uk/~bscharla/teaching/mtp_software/jboss/secureJBoss.shtml
                              An HP offering that explains how to secure a web app in jboss, --but of course also diverts off to focus on EJB's: http://devresource.hp.com/drc/technical_papers/jaas_jboss/index.jsp
                              http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfiguringAJavaSecurityManager
                              Makes it sound so easy: http://wiki.jboss.org/wiki/Wiki.jsp?page=CreatingACustomLoginModule

                              Some resource that helped me to begin to get a grip on WS-Security:

                              http://www.windowsitlibrary.com/Content/1219/06/1.html
                              http://www.oracle.com/technology/tech/java/newsletter/articles/wsaudit/ws_audit.html
                              http://www-128.ibm.com/developerworks/webservices/library/ws-security.html
                              http://wiki.jboss.org/wiki/Wiki.jsp?page=WSSecurity

                              Some SAML stuff:

                              http://en.wikipedia.org/wiki/SAML
                              http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=securityhttp://xml.coverpages.org/saml.html
                              http://xml.coverpages.org/saml.html
                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf
                              http://www.onjava.com/pub/a/onjava/2005/02/09/wssecurity.html

                              A couple of sun tutorials, that provide good information, but be careful, not all of it is applicable to JBoss implementations:

                              http://java.sun.com/javaee/5/docs/tutorial/doc/index.html
                              http://java.sun.com/webservices/docs/2.0/tutorial/doc/

                              Hope something here helps,
                              Jeff


                              • 12. Re: Attempt to get JBoss to call my custom login module
                                jcollins914

                                Thanks jaikiran for your gratuitous effort.

                                "jaikiran" wrote:

                                You have the "Code" button which you can use while posting to wrap those contents in a code block to avoid the mess.


                                Thanks, I'll use the code button from now on.

                                "jaikiran" wrote:

                                Now you have secured this servlet using BASIC authentication and a custom login module. Apart from the webservice part this appears to be an attempt to secure the servlet. It should not matter that the servlet is being used by webservice. Am i right?


                                This is my understanding as well, although I've never secured a servlet before, (or an EJB)... I rarely even lock my car... --so I could be way off here, but I think in large part, this gets to the essence of my question, --can I even use declarative security to secure my web service endpoint in the form of a web-method through JBossWS...

                                "jaikiran" wrote:

                                If yes, then when you type in the URL: http://localhost:8080/CentricityPractice/CPWebService do you see the pop up asking for user name and password(since you are using BASIC authentication)?


                                Thanks, I thought so too, but no sale. Referencing that url from a browser simply lists the exposed web service(s), no log in. What I would prefer is to not have a login-config element in my web.xml at all, (or however I would otherwise accomplish the following goal). I am in hopes that I can utilize information that the client sends over in the soap header to obtain details for the login to be performed through my custom login module. In other words, I don't want a BASIC login module to "pop up" requesting a login, and neither do I want a FORM login to allow me to configure my own custom login screen. I want the server code to be able to obtain information from the soap message header, to be used in the custom login module, without any user interaction. I put the login-config BASIC block in there as an attempt to see if I could get a reaction out of the login what-so-ever... Alas no. My current login module, although poised to do so, currently doesn't peer into the soap header, but seeks to just "return true" from the login() method. It should not require an actual login in order to just be called, no?

                                "jaikiran" wrote:

                                Also, have you written any debug log messages in your own custom login module so as to figure out whether the control has been forwarded to it?


                                Yes, definitely. Every method prints out a lot of exclamation points, and a message saying it has been entered. I have also a breakpoint on the first line of each method in my GEHCLoginModule, and am running the application server in debug mode. Stopping at one of those breakpoints, or finding the exclamation points in my console output, would cause much rejoicing. --No sign of them yet.

                                Continued appreciation.