-
1. Re: UsernamePasswordLoginModule and client origin
ragavgomatam Feb 27, 2008 1:18 PM (in response to idweiss)You will l have to write a Tomcat Valve....I have posted the codesome where in this or Tomcat/Httpd/Servlets/Jsp forum here under Jboss.....
-
2. Re: UsernamePasswordLoginModule and client origin
ragavgomatam Feb 27, 2008 1:22 PM (in response to idweiss)Url for the Tomcat Valve code :-
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=125015 -
3. Re: UsernamePasswordLoginModule and client origin
idweiss Feb 27, 2008 1:24 PM (in response to idweiss)A small addition, my clients are EJB Java clients, some are processes that run on the JBoss machine (the "local" clients), and some are Java EJB client applications running on external machines
-
4. Re: UsernamePasswordLoginModule and client origin
ragavgomatam Feb 27, 2008 10:06 PM (in response to idweiss)Remote Ejb's clients look up the jndi to get the ejb handle...Prior to that they log in as follows.
import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; public class CustomClient { /** * @param args */ @SuppressWarnings("unchecked") public static void main(String[] args) { LoginContext ctx = null; try { ctx = new LoginContext("client-login", new CustomHandler(args[0], args[1],args[2])); ctx.login(); // Look up ejb after jaas login above and invoke it in your PriviligedAction Subject.doAs(ctx.getSubject(), new CustomAction()); } catch (LoginException le) { System.err.println("LoginContext cannot be created. " + le.getMessage()); System.exit(-1); } catch (SecurityException se) { System.err.println("LoginContext cannot be created. " + se.getMessage()); } } }
import java.security.PrivilegedAction; public class CustomAction implements PrivilegedAction { public Object run() { //Look up ejb & invoke methods } }
Call back handler Implementation. In addition to Name, Password, ask user to enter IP information through TextInputCallback as shown..Retrieve this in your Login Module login()...Verify the presence of client IP in the login() ...If absent throw exception.....Hope this helpsimport javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.TextInputCallback; import javax.security.auth.callback.UnsupportedCallbackException; public class CustomHandler implements CallbackHandler { private String name; private String password; private String text; public void handle(Callback[] callbacks) throws UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks instanceof NameCallback) { NameCallback nc = (NameCallback) callbacks; nc.setName(this.name); } else if (callbacks instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback) callbacks; pc.setPassword(this.password.toCharArray()); } else if (callbacks instanceof TextInputCallback) { TextInputCallback tc = (TextInputCallback) callbacks; pc.setText(this.text); } else { throw (new UnsupportedCallbackException(callbacks, "Callback handler not support")); } } } public CustomHandler(String name, String password,String text) { this.name = name; this.password = password; this.text = text; } }
For Local Clients, which I assume are web based....That is whose calls would be over Http, you could use the Tomcat Valve to introspect the IP... -
5. Re: UsernamePasswordLoginModule and client origin
idweiss Apr 2, 2008 8:29 AM (in response to idweiss)Thanks ragavgomatam.
Thing is, because this is a security issue, I can not rely on clients to provide their genuine ip address, as attackers will provide a false one. Instead the solution requires figuring out their real origin.