5 Replies Latest reply on Apr 2, 2008 8:29 AM by idweiss

    UsernamePasswordLoginModule and client origin

    idweiss

      I have a subclass of UsernamePasswordLoginModule, and I want to use different authentication logic for clients that run on the server machine and clients that run on remote machines.
      How can I obtain the client origin from within the Login Module instance?

        • 1. Re: UsernamePasswordLoginModule and client origin
          ragavgomatam

          You will l have to write a Tomcat Valve....I have posted the codesome where in this or Tomcat/Httpd/Servlets/Jsp forum here under Jboss.....

          • 2. Re: UsernamePasswordLoginModule and client origin
            ragavgomatam
            • 3. Re: UsernamePasswordLoginModule and client origin
              idweiss

              A small addition, my clients are EJB Java clients, some are processes that run on the JBoss machine (the "local" clients), and some are Java EJB client applications running on external machines

              • 4. Re: UsernamePasswordLoginModule and client origin
                ragavgomatam

                Remote Ejb's clients look up the jndi to get the ejb handle...Prior to that they log in as follows.

                import javax.security.auth.Subject;
                import javax.security.auth.login.LoginContext;
                import javax.security.auth.login.LoginException;
                
                public class CustomClient {
                
                 /**
                 * @param args
                 */
                 @SuppressWarnings("unchecked")
                 public static void main(String[] args) {
                 LoginContext ctx = null;
                 try {
                 ctx = new LoginContext("client-login", new CustomHandler(args[0],
                 args[1],args[2]));
                 ctx.login();
                
                // Look up ejb after jaas login above and invoke it in your PriviligedAction
                
                 Subject.doAs(ctx.getSubject(), new CustomAction());
                
                 } catch (LoginException le) {
                 System.err.println("LoginContext cannot be created. "
                 + le.getMessage());
                 System.exit(-1);
                 } catch (SecurityException se) {
                 System.err.println("LoginContext cannot be created. "
                 + se.getMessage());
                 }
                 }
                
                }



                import java.security.PrivilegedAction;
                
                public class CustomAction implements PrivilegedAction {
                
                 public Object run() {
                 //Look up ejb & invoke methods
                 }
                
                }




                Call back handler Implementation. In addition to Name, Password, ask user to enter IP information through TextInputCallback as shown..Retrieve this in your Login Module login()...Verify the presence of client IP in the login() ...If absent throw exception.....Hope this helps


                import javax.security.auth.callback.Callback;
                import javax.security.auth.callback.CallbackHandler;
                import javax.security.auth.callback.NameCallback;
                import javax.security.auth.callback.PasswordCallback;
                import javax.security.auth.callback.TextInputCallback;
                import javax.security.auth.callback.UnsupportedCallbackException;
                
                public class CustomHandler implements CallbackHandler {
                
                 private String name;
                 private String password;
                 private String text;
                
                 public void handle(Callback[] callbacks)
                 throws UnsupportedCallbackException {
                 for (int i = 0; i < callbacks.length; i++) {
                 if (callbacks instanceof NameCallback) {
                 NameCallback nc = (NameCallback) callbacks;
                 nc.setName(this.name);
                 } else if (callbacks instanceof PasswordCallback) {
                 PasswordCallback pc = (PasswordCallback) callbacks;
                 pc.setPassword(this.password.toCharArray());
                 } else if (callbacks instanceof TextInputCallback) {
                 TextInputCallback tc = (TextInputCallback) callbacks;
                 pc.setText(this.text);
                 } else {
                 throw (new UnsupportedCallbackException(callbacks,
                 "Callback handler not support"));
                 }
                 }
                 }
                
                 public CustomHandler(String name, String password,String text) {
                 this.name = name;
                 this.password = password;
                 this.text = text;
                 }
                
                 }


                For Local Clients, which I assume are web based....That is whose calls would be over Http, you could use the Tomcat Valve to introspect the IP...

                • 5. Re: UsernamePasswordLoginModule and client origin
                  idweiss

                  Thanks ragavgomatam.
                  Thing is, because this is a security issue, I can not rely on clients to provide their genuine ip address, as attackers will provide a false one. Instead the solution requires figuring out their real origin.