5 Replies Latest reply on May 11, 2006 10:26 PM by bsheward

    JBAS-1468: Add support for IP address reporting inside a Log

    ricardoarguello

      What would be the best approach to resolve [JBAS-1468]:

      Add support for IP address reporting inside a Login Module
      http://jira.jboss.com/jira/browse/JBAS-1468

      I initially commited some code to obtain the IP address from the client using a Tomcat Valve. Since there was too much cpupling between the Valve and JBossSecurityMgrRealm, the code was rolled back.

      Another possible implementaion could be creating a new Realm that expects the IPAddressValve to be declared in the web application. Since it's another Realm, not the default one (JBossSecurityMgrRealm), web apps should declare its use (using a context.xml file).

      Any thoughts?

        • 1. Re: JBAS-1468: Add support for IP address reporting inside a
          starksm64

          The login module needs to request the information required for authentication using a custom callback handler. Then you need to install a custom javax.security.auth.callback.CallbackHandler that can provide the current request header info based on a Valve and thread local. A custom CallbackHandler can be installed using the CallbackHandlerClassName attribute of the org.jboss.security.plugins.JaasSecurityManagerService.

          The existing IPAddressValve should really just be generalized to save the current HttpServletRequest. The custom CallbackHandler should be in the org.jboss.web.tomcat.security package and it should extend the default org.jboss.security.auth.callback.SecurityAssociationHandler and delegate to it any Callback it does not understand.

          There needs to be a unit test added to the testsuite. Look at how the JACC unit tests run on a custom configuration of jboss to see how the tests need to be setup to use the customized JaasSecurityManagerService configuration.

          • 2. Re: JBAS-1468: Add support for IP address reporting inside a
            ricardoarguello

            I think I have the complete picture, I'll start coding tonight.

            Just one question: Why not add this new CallbackHandler to the SecurityAssociationHandler?

            Thanks,

            Ricardo Argüello

            • 3. Re: JBAS-1468: Add support for IP address reporting inside a
              starksm64

              There is no explicit dependency on the servlet container or servlet api in the security module and none should be added to avoid propagation of an existing problem of cross module dependencies.

              There is an implicit dependency due to the JACC service's dependency on the JACC permission classes, and this service should in fact be moved out of the security module to clean this up.

              • 4. Re: JBAS-1468: Add support for IP address reporting inside a
                ricardoarguello

                I commited some code to resolve JBAS-1468 in the 4.0 branch. I'll commit it to the HEAD branch later.

                I'm working on the unit test right now. If somebody wants to help, you are welcome.

                Ricardo

                • 5. Re: JBAS-1468: Add support for IP address reporting inside a

                  Hi,

                  Can you please provide any more hints on how to use this LoginModule?

                  For example, what configuration do I need to do to login-conf.xml?

                  What methods do I need to override to get the username and password that were passed from my j_security_check form submission?

                  Can I override the login() method to do custom things?

                  Thanks and Regards,

                  Barry