6 Replies Latest reply on Apr 27, 2003 2:17 PM by spiritualmechanic

    use of javax.security.auth.Subject

    padams

      Is there anyway to get an instance of Subject that contains credentials to my connection aside from principal mapping?

      I would like to configure JBoss to authenticate against the same LDAP repository as my EIS and have the credentials the user logged in with passed to my connector. I can have JBoss authenticate against LDAP fine (using org.jboss.security.auth.spi.LdapLoginModule) but when my connection is created the subject I'm given contains only principals and no credentials. As a result I cannot pass them along to my EIS.

      This works fine with Sun ONE. I'd like to avoid requiring the user application to manage the credentials.

      My connector is using the BasicPassword authentication-mechanism with the credential-interface set to javax.resource.security.PasswordCredential.

      Any help would be appreciated.

        • 1. Re: use of javax.security.auth.Subject
          davidjencks

          This should work with the CallerIdentityLoginModule (from the connector module). You need an additional login module for each ManagedConnectionFactory beyond the applications' login module because the PasswordCredential has to include the managedConnectionFactory it is intended for.

          Can you verify that the LDAP login module is actually including the credentials in the Subject it creates?

          I haven't actually tested the CallerIdentityLoginModule so if there are problems please speak up.

          Thanks
          david jencks

          • 2. Re: use of javax.security.auth.Subject
            padams

            Can you supply any details on how I should configure the CallerIdentityLoginModule? I'm assuming I configure this in my deployed service.xml file? I've configured the LDAP login module in server/default/conf/login-config.xml.

            I haven't been able to verify the subject contains credentials. By the time my connector gets the subject it appears not to.

            Thanks,
            -paul

            • 3. Re: use of javax.security.auth.Subject
              davidjencks

              The configuration for any login module should go in login-config.xml. (There is supposed to be a way to hot deploy them but I don't know what it is.) There are some examples for ConfiguredIdentityLoginModule there. You need to supply a Realm name that matches the security domain name in the *-service/ds.xml file and also the object name of the connection manager mbean for your datasource. As I recall you can also supply a default user/pw in case there is no security context(???).

              What should happen if it is working is that the CallerIdentity login module supplies a subject with a single credential, that being a PasswordCredential with the user/pw and managed connection factory. Without one of the jca login modules, there will be no PasswordCredential for your adapter to use.

              • 4. Re: use of javax.security.auth.Subject
                padams

                Brilliant! That worked great. Thanks for the help.

                • 5. Re: use of javax.security.auth.Subject

                  Hey David,
                  One thing I noticed (I'm using CallerIdentityLoginModule) with my JCA adapter is that it always uses the default username/password.

                  Looking through the code, the SecurityAssociation.getPrincipal() and SecurityAssociation.getCredential() always come back null.

                  How do I get to propagate the user subject that logged in?

                  • 6. Re: use of javax.security.auth.Subject

                    Ah, it seems I had a bad configuration. Once I fixed that, the username/password is coming through nicely.
                    Steve