4 Replies Latest reply on Dec 4, 2008 11:05 AM by dlofthouse

JBoss Negotiation - Onto The GA Release

dlofthouse Dec 4, 2008 10:39 AM

Apart from some small code areas to tidy up I have one area that still needs to be decided before we can release the first GA.

The implementation of the login module requires an LDAP login module to be chained so that the LDAP login module can perform the roles search.

Our existing login modules were not really up to the job for this so the JBoss Negotiation project now contains a new login module: -

org.jboss.security.negotiation.AdvancedLdapLoginModule

https://jira.jboss.org/jira/browse/SECURITY-133

This new login module no longer extends the 'UsernamePasswordLoginModule' as it was this design pattern that was making using this login module for just role searches difficult.

The new login module is very similar to the 'LdapExtLoginModule', the roles search is subtly different from the 'LdapExtLoginModule' roles search but I could modify this to be compatible if needed. In addition to this the new login module can authenticate itself against LDAP using GSSAPI and a local keytab.

The questions are: -

Are we happy to have a third LDAP login module?

Where should it live? Although the JBoss Negotiation project was the driving need for this module there is no reason for the module itself to be part of JBoss Negotiation.

1. Re: JBoss Negotiation - Onto The GA Release

anil.saldhana Dec 4, 2008 10:49 AM (in response to dlofthouse)

I do not see any issue in this 3rd ldap login module to reside in the negotiation project, because it has the direct dependence to it.

There is no restriction on any LM to extend any of JBoss LMs.
Actions
2. Re: JBoss Negotiation - Onto The GA Release

dlofthouse Dec 4, 2008 10:52 AM (in response to dlofthouse)

I am happy to keep the login module in the negotiation project but the point is there is no real dependency either way both the negotiation authenticator and the login module are completely independent of each other but if you want to configure SPNEGO authentication with roles retrieved from LDAP then you would combine both together.
Actions
3. Re: JBoss Negotiation - Onto The GA Release

anil.saldhana Dec 4, 2008 10:56 AM (in response to dlofthouse)

Question is whether the ldap login module has usage outside of spnego usecases?

The other thing is that 4.x security is frozen. So we are not adding any new features there.

Since negotiation is a drop in use in 4.x and 5.x of AS, I think for the time being, the LM can stay in negotiation.
Actions
4. Re: JBoss Negotiation - Onto The GA Release

dlofthouse Dec 4, 2008 11:05 AM (in response to dlofthouse)

"anil.saldhana@jboss.com" wrote:
Question is whether the ldap login module has usage outside of spnego usecases?

Yes there are uses for this login module anywhere that you would have used one of the other two login modules.

I wrote it so am biased but I believe it is a cleaner implementation by avoiding some of the design restrictions inherited from the 'UsernamePasswordLoginModule' :-) This makes it much easier to separate the users authentication from the roles search logic.

In addition to this the GSSAPI authentication can be used as a different mechanism to remove the password of the user performing the searches and instead place it in a keytab.

The final improvement is in the recursive roles search, now instead of defining how deep to go the module can go as deep as is needed but instead detects looping to prevent an infinity recursive search.

"anil.saldhana@jboss.com" wrote:

The other thing is that 4.x security is frozen. So we are not adding any new features there.

Since negotiation is a drop in use in 4.x and 5.x of AS, I think for the time being, the LM can stay in negotiation.

Ok if we keep it as part of the negotiation project we can then use inheritance if we want to move it later to maintain backwards compatibility.
Actions

Go to original post