2 Replies Latest reply on Mar 29, 2007 8:49 AM by sionut2

    receiving both my custom callback handler AND SecurityAssoci

    sionut2
    sionut2 Mar 28, 2007 10:49 AM

      Hi,

      I created a custom CallbackHandler, handed it to the LoginContext.

      CallbackHandler cbHandler = new SsoTokenCallbackHandler(username, password.toCharArray());

      try {
 LoginContext lc = new LoginContext("my-ctx", cbHandler);
 lc.login();
 result = true;
 } catch (LoginException e) {
 log.error("Exception during login.", e);
 result = false;
 }


      The problem: the initialize() method of my LoginModule I'm getting called twice:
      1) the first time with my custom callback handler (SsoTokenCallbackHandler). Here's what Eclipse is showing when debugging: 
      callbackHandler LoginContext$SecureCallbackHandler (id=142)
 acc AccessControlContext (id=157)
 ch SsoTokenCallbackHandler (id=159)

      2) the second time with another callback handler which fails (SecurityAssociationHandler). Here's what Eclipse is showing when debugging: 
      callbackHandler LoginContext$SecureCallbackHandler (id=197)
 acc AccessControlContext (id=201)
 ** ch SecurityAssociationHandler (id=202) **

      Is it normal to be called twice ? What can I do to receive a single call in my LoginModule ? (the first one)

      Thank you !

      • 2790 Views
      • Tags:
        • 1. Re: receiving both my custom callback handler AND SecurityAs
          sionut2
          sionut2 Mar 29, 2007 6:37 AM (in response to sionut2)

          Probably I need to give you some more details.. I need this second login module to authenticate my ws calls. The login from the web site works very well, but if I add my login module to the existing configuration the login modules are called twice, as I told you in my previous message.

          I just realized that, if I add a new

          <?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
<policy>
 <application-policy name = "policy1">
 <authentication>

 <login-module
 code="org.jboss.security.ClientLoginModule"
 flag="required">
 </login-module>

 <login-module code = "my.first.login.module"
 flag = "required">
 </login-module>

 </authentication>
 </application-policy>

 <application-policy name = "policy2">
 <authentication>

 <login-module code="my.second.login.module"
 flag="required">
 </login-module>

 </authentication>
 </application-policy>
</policy>


          section in my emp-login-config.xml and include there my login module, it gets called only once. So I found the cause of the problem, but I can't explain why it happens like this.

          I have nothing against using another security domain for my WS authentication, but the problem is my EJBs are declared with @SecurityDomain("policy1"); as a consequence, when the WS calls my EJB I'm getting an exception (obvious, I know)

          Anybody ? Any idea ?

            • Actions
          • 2. Re: receiving both my custom callback handler AND SecurityAs
            sionut2
            sionut2 Mar 29, 2007 8:49 AM (in response to sionut2)

            When I declare my.first.login.module as "sufficient" I am able to access the EJBs, although they are declared with

            @SecurityDomain("policy1")

            and I log on using the following code: 
             LoginContext lc = new LoginContext("policy2", cbHandler);
 lc.login();


            When I'm debugging with Eclipse, it seems my.first.login.module is still touched, although it shouldn't (it's in policy1, not policy2)

            Any ideas why ?

              • Actions