6 Replies Latest reply on Aug 24, 2009 10:13 PM by teddyliu

problem about cas sso:DBIdentityLoginModule can not get pas

sportsbaby1980 Aug 29, 2008 5:27 AM

Now I find out,there are twice authentication for jboss portal with cas sso.
The first:
CAS authentication uses CASAuthenticationHandler,which call a MBean(name="portal:service=Module,type=CASAuthenticationService") to authenticate.

The second:
Jboss portal use \jboss-portal.sar\conf\login-config.xml to do another authentication.
It use the loginmodule defined in the <application-policy name="portal">.

Now I write my own classes for the 2 step authentication.
The first step has successed.
In the second step,I can get the value of username,but can not get the password value ,either from sharedState.get("javax.security.auth.login.password") nor from the getUsernameAndPassword method.

I have check the api and source code and docments,but nothing helpful found.

It makes me puzzled.

1. Re: problem about cas sso:DBIdentityLoginModule can not get

soshah Aug 29, 2008 10:40 AM (in response to sportsbaby1980)

Are you following the CAS integration instructions here:

http://docs.jboss.com/jbportal/v2.6.6/referenceGuide/html/sso.html#d0e13189

If not, please do this as a baseline for success, and then customize whatever you need to on your end

Note, make sure you are using CAS 3.0.7. I think the higher versions of CAS are incompatible with this approach of integration, since their App Server integration have changed

Thanks
Sohil
Actions
2. Re: problem about cas sso:DBIdentityLoginModule can not get

sportsbaby1980 Aug 31, 2008 11:10 PM (in response to sportsbaby1980)

thanks Sohil.
yes.
I have read the articles I can find about cas sso for jboss portal and successed.
Now,what I want to do is use our db instead of portal db as the user data of sso.
because our user password is custom encrypted ,so org.jboss.portal.identity.crm.DBIdentityLoginModule
can not authenticate successfully,
so should be decrypted it before authentication.

I have do a test:
write a sub class of IdentityLoginModule and DBIdentityLoginModule,just override the validatepassword(String inputpassword,String expectedpassword) method ,log the value of the parameters.
In the validatepassword method,the value of input password parameter is null.

But with the IdentityLoginModule provided by portal,it still ahtenticates successfully.

I have downloaded the jboss-4.23-src,
try to trace the login method and see what happened .
Actions

3. Re: problem about cas sso:DBIdentityLoginModule can not get

sportsbaby1980 Aug 31, 2008 11:13 PM (in response to sportsbaby1980)

the class I write:


import javax.security.auth.login.LoginException;

import org.apache.log4j.Logger;
import org.jboss.portal.identity.auth.IdentityLoginModule;

public class CRMIdentityLoginModule extends IdentityLoginModule{
 private static final Logger logger = Logger.getLogger(CRMIdentityLoginModule.class);
 @Override
 protected boolean validatePassword(String inputPassword, String expectedPassword) {
 logger.info("inputPassword="+inputPassword+",expectedPassword="+expectedPassword);
 return super.validatePassword(inputPassword, expectedPassword);
 }
 @Override
 protected String[] getUsernameAndPassword() throws LoginException {
 String [] strs = super.getUsernameAndPassword();
 for(String str:strs){
 logger.info("str==="+str);
 }
 return strs;
 }
 @Override
 protected String createPasswordHash(String username, String password, String arg2)
 throws LoginException {
 logger.info("arg0==="+username);
 logger.info("arg1==="+password);
 logger.info("arg2==="+arg2);
 return super.createPasswordHash(username, password, arg2);
 }
}

result:

10:55:15,765 INFO [CRMIdentityLoginModule] str===029
10:55:15,765 INFO [CRMIdentityLoginModule] str===null
10:55:15,765 INFO [CRMIdentityLoginModule] inputPassword=null,expectedPassword=

4. Re: problem about cas sso:DBIdentityLoginModule can not get

sportsbaby1980 Aug 31, 2008 11:42 PM (in response to sportsbaby1980)

In IdentityLoginModule,

 protected boolean validatePassword(final String inputPassword, String expectedPassword)
 {
 HttpServletRequest request = null;
 try
 {
 request = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
 }
 catch(Exception e)
 {
 log.error(this,e);
 throw new RuntimeException(e);
 }

 Object ssoSuccess = request.getAttribute("ssoSuccess");
 if(ssoSuccess != null)
 {
 return true;
 }

I think I find it.

If sso,just return true.
So I can do the same in the DBIdentityLoginModule.

yes or no?

5. Re: problem about cas sso:DBIdentityLoginModule can not get

sportsbaby1980 Sep 1, 2008 2:31 AM (in response to sportsbaby1980)

import javax.security.auth.login.LoginException;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import org.jboss.portal.identity.auth.DBIdentityLoginModule;

public class CRMDBIdentityLoginModule extends DBIdentityLoginModule {

 @Override
 protected boolean validatePassword(String inputPassword,
 String expectedPassword) {
// logger.info("inputPassword=="+inputPassword);
// logger.info("expectedPassword=="+expectedPassword);
 HttpServletRequest request = null;
 try {
 request = (HttpServletRequest) PolicyContext
 .getContext("javax.servlet.http.HttpServletRequest");
 } catch (Exception e) {
 log.error(this, e);
 throw new RuntimeException(e);
 }
 Object ssoSuccess = request.getAttribute("ssoSuccess");
// logger.info("ssoSuccess=="+ssoSuccess);
 if (ssoSuccess != null) {
 return true;
 }
 return super.validatePassword(inputPassword, expectedPassword);
 }


 @Override
 protected String createPasswordHash(String username, String password,
 String arg2) throws LoginException {
 return password;
 }
}

6. Re: problem about cas sso:DBIdentityLoginModule can not get

teddyliu Aug 24, 2009 10:13 PM (in response to sportsbaby1980)

I have the exactly same problem with you. have you resolved the it. I really want know how to deel with this.
Actions

Go to original post