4 Replies Latest reply on Feb 10, 2005 3:40 PM by darma

    Authentication custom handler and JAAS module

    darma

      Could someone please comment (advantages/disadvantages) on the use of a custom handler to authenticate against a security server (SimpleAuthenticationHandler.java, HTTPAuthHandler.java), as opposed to using a JAAS login module to do the same (UsernamePasswordLoginModule.java).

      The requirement is to use http basic auth to facilitate interoperability.
      The security server returns a token that is later used for authorization purposes.
      The token will be stored in the MessageContext to be passed to a custom provider that uses a dynamic proxy to forward requests to various backend EJB containers.

      Using a JAAS module with credential caching enabled on Tomcat, how to guarantee that the token is passed to the MessageContext (of the relevant request) in the handler chain.

      Are there any descriptor samples or documentation for custom handlers (other than Axis-specific deployment descriptor).

      Comments appreciated.

      Darma

        • 1. Re: Authentication custom handler and JAAS module
          jason.greene

          If you are using basic auth, then the credentials are going to be passed in each and every http request, which means you dont need to cache them. When using basic auth in JBossWS, it will authenticate you according to its security zone, store the credentials, pass them to the EJB layer on invocation, at which point the EJB layer will authenticate you again. Both would use the same JAAS module.

          There is a wiki entry that describes how to configure basic auth:
          http://www.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint



          • 2. Re: Authentication custom handler and JAAS module
            darma

            The purpose of caching is to avoid an expensive authentication operation to the security server.

            Passing credentials to the EJB layer is outside the requirements; the goal is to use the token for post-JBossWS layer authentication (and again avoid an expensive authentication call). Storing the token in the MessageContext is convenient to this use case. (EJB layer invocation is not through InvokerProviderEJB but through a custom provider to support backend heterogeneity.)

            My question is more relevant to using a custom handler for authentication (similar to SimpleAuthenticationHandler.java) as opposed to using a JAAS login module. Could someone please comment on this.

            Thanks.
            Darma


            • 3. Re: Authentication custom handler and JAAS module
              starksm64

              Its just a question of reuse. If the authentication mechanism is not going to be used for anything but the webservice, then it hardly matters how its implemented. If the authentication mechanism is going to be used with servlets, ejbs, datasources or any other resource that supports the jboss jaas style authentication then a login module is the better choice.

              • 4. Re: Authentication custom handler and JAAS module
                darma

                Thanks a lot for the clarification. I'appreciate the prompt response. Really makes a difference.

                --Darma