6 Replies Latest reply on Apr 26, 2008 10:16 AM by ameo

SynchronizingLoginModule synchronize always

ameo Apr 22, 2008 1:48 PM

Hello,

the reference guide says that the SynchronizingLoginModule try to synchronize authenticated user into portal store using portal identity modules. I follow from this sentence, that it will only synchronize authenticated users. But i made other experience.

When my custom LoginModule delivers false, the synchronization occurs however. If the custom LoginModule delivers false, then I want that the authentication fails. But on my example, the authentication takes place and a user is created by the Sync-Module and the portal shows the pages and portlets.

I have a custom login module like this one..


public class CustomIdentityModule extends UsernamePasswordLoginModule {
..
 public boolean login() throws LoginException {
 super.loginOk = true/false;
 return true/false;

 }
 protected Group[] getRoleSets() throws LoginException {}
 ...
}

the login-config.xml


 <login-module code = "org.login.CustomIdentityModule" flag="requisite"
 <module-option name="dsJndiName">java:/CSDS</module-option>
 <module-option name="principalsQuery">SELECT PASSWD FROM USERS WHERE USERNAME=?</module-option>
 <module-option name="rolesQuery">SELECT userroles, 'Roles' FROM userroles where username =?</module-option>
 <!--
 <module-option name="hashAlgorithm">MD5</module-option>
 <module-option name="hashEncoding">HEX</module-option>
 -->
 <module-option name="additionalRole">Authenticated</module-option>
 </login-module>


 <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
 <module-option name="synchronizeIdentity">true</module-option>
 <module-option name="synchronizeRoles">true</module-option>
 <module-option name="preserveRoles">true</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="defaultAssignedRole">User</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
 </login-module>

1. Re: SynchronizingLoginModule synchronize always

bdaw Apr 22, 2008 2:32 PM (in response to ameo)

Its all in the docs:

http://docs.jboss.com/jbportal/v2.6.4/referenceGuide/html/authentication.html#authentication.synchronizing_login_module

It leverages the fact that in JAAS authentication process occurs in two phases. In first phase when login() method is invoked it always returns "true". Because of this behavior SynchronizingLoginModule should be always used with "optional" flag. More over it should be placed after the module we want to leverage as a source for synchronization and that module should have "required" flag set.

required != requisite :)
Actions
2. Re: SynchronizingLoginModule synchronize always

ameo Apr 23, 2008 6:29 AM (in response to ameo)
Hello,

I change the flag of my CustomIdentityModule from "requisite" to "requred" in the login-config.xml file.

<login-module code = "org.login.CustomIdentityModule" flag="requred"

Unfortunately the behaviour that the SynchronizingLoginModule always invokes and synchronize remains, if the login() -Method of the CustomIdentityModule returns false. That should not be.

I don't know what I can do anymore.
Actions
3. Re: SynchronizingLoginModule synchronize always

bdaw Apr 23, 2008 6:41 AM (in response to ameo)

Man... And if you make it "required" instead of "requred"? The synchronization happens in the commit() method - it happens always when authentication in whole LoginModule's stack overall is successful. Configure it properly to make it fail...
Actions
4. Re: SynchronizingLoginModule synchronize always

bdaw Apr 23, 2008 6:43 AM (in response to ameo)

If you want to understand the internals read this:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html#Intro

And look here then:

http://anonsvn.jboss.org/repos/portal/modules/identity/branches/JBP_IDENTITY_BRANCH_1_0/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLoginModule.java
Actions
5. Re: SynchronizingLoginModule synchronize always

ameo Apr 23, 2008 9:02 AM (in response to ameo)

hello,

there was a spelling mistake in my post..sure, the value of the flag is "required" :-)

I tested the CustomLoginModule without the SynchronizingLoginModule. The authentication works fine. If the user enters a wrong password or a wrong unsername the login()-method returns false and the authentication fails.

And then, when I activate the SynchronizingLoginModule in the login-config.xml file the authentication success although the CustomLoginModule fails.

The commit-method of the SynchronizingLoginModule performs the sync, if the module-option flag synchronizeIdentity is true. In my case it is true, but you said...

The synchronization happens always when authentication in whole LoginModule's stack overall is successful.

and it seems to be successful. Therefore, I don't understand why the stack is successful since then.
Actions
6. Re: SynchronizingLoginModule synchronize always

ameo Apr 26, 2008 10:16 AM (in response to ameo)

Solved !

I thought that only the flag "loginOk" have to be set to false und the login-method habe to return false, therefore the authentication in whole fails. But you have to throw a LoginException, too !!

The JAAS LoginContext class sets a variable addicted to this Exception for subsequent loginmodules, like the SynchronizingLoginModule.

Puuhh
Actions

Go to original post