2 Replies Latest reply on May 19, 2008 11:06 AM by pieter.kuijpers

    'sufficient' loginmodules combined with ClientLoginModule

    pieter.kuijpers
    pieter.kuijpers May 16, 2008 7:55 AM

      I have the following requirements for my web application running on JBoss 4.2.1:

      - Users should be authenticated against an LDAP directory
      - In LDAP, a user is registered in one of two locations, say ou=A or ou=B. So, the DN for a user might be uid=X,ou=A or uid=X,ou=B
      - I need to perform programmatic web authentication

      The solution I have come up with is to use two LdapLoginModules: one for each location. Both login-modules are set to 'sufficient'.

       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
 <!-- regular options omitted -->
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=A</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
 <!-- regular options omitted -->
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=B</module-option>
 </login-module>


      This works as expected: authentication succeeds if the can be authenticated against one of the two LDAP locations.

      To propagate the authentication info to the container, I use the ClientLoginModule as mentioned in the SecurityFAQ. This is added as the third loginmodule in my configuration: 

      <login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <module-option name="restore-login-identity">true</module-option>
 <module-option name="multi-threaded">true</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>


      What I want is that authentication fails when both Ldap loginmodules fail. In reality, authentication succeeds in that case, because the ClientLoginModule always succeeds. Thus, I have the two 'sufficient' ldap loginmodules fail, and the 'required' clientloginmodule succeed, resulting in a successful login.

      Is there a way to enforce that (at least) one of the ldap loginmodules succeed, and that the clientloginmodule is still invoked for a successful login?

      • 1407 Views
      • Tags:
        • 1. Re: 'sufficient' loginmodules combined with ClientLoginModul
          ragavgomatam
          ragavgomatam May 16, 2008 9:16 PM (in response to pieter.kuijpers)

          There are 4 jaas flags. (a) Sufficient - If this succeeds, no other module down the chain is invoked. Login succeeds (b) required -- This must succeed for overall authentication to succeed. If it fails control is passed to other module in the chain (c) requisite -- This must succeed. If it fails, control is not passed down the chain (d) Optional -- Well can pass/fail.

          Try as follows :-

          LdapModule1==>required
          LdapModule2==>required
          ClientModule==>Optional

            • Actions
          • 2. Re: 'sufficient' loginmodules combined with ClientLoginModul
            pieter.kuijpers
            pieter.kuijpers May 19, 2008 11:06 AM (in response to pieter.kuijpers)

            Thanks for the reply. However, that configuration doesn't do what I want:

            In this situation:
            LdapModule1 (required)=>pass
            LdapModule2 (required)=>fail
            ClientModule (optional)=>pass

            I want the authentication process to pass. But as LdapModule2 is required, the overall result is fail.

            Also, I want:
            LdapModule1=>fail
            LdapModule2=>fail
            ClientModule=>pass
            Overall=====>fail

            As far as I understand, there is no configuration that could do that. The problem is the ClientModule that always passes, even though it doesn't do any real authentication. I think it would be more sensible if ClientModule always returned 'fail', then we could flag it as 'optional'.

              • Actions