1 Reply Latest reply on Jan 26, 2011 6:47 AM by wolfgangknauf

Login module that depends on a datasource

gubespam Jan 25, 2011 6:23 PM

We have a custom login module implementation that reads role-related (authorization) information from a database. To achieve that, we have (in conf/login-config.xml):

{code:xml}
  <application-policy name="my-company-policy">
    <authentication>
       <login-module code="com.et.security.ETLoginModule" flag="required" >
          <module-option name="java.naming.provider.url">...</module-option>
          <module-option name="bindDN">...</module-option>
          <module-option name="bindCredential">...</module-option>
          <module-option name="baseCtxDN">...</module-option>
          <module-option name="baseFilter">...</module-option>
          <module-option name="allowEmptyPasswords">false</module-option>
          <module-option name="dsJndiName">java:/securityUserDS</module-option>
          <module-option name="roleQuery">...</module-option>
       </login-module>
    </authentication>
  </application-policy>
{code}

As shown, this has an implicit dependency on a datasource called "securityUserDS". The security_user-ds.xml file looks like:

{code:xml}
<datasources>
  <local-tx-datasource>
    <jndi-name>securityUserDS</jndi-name>
    <connection-url>jdbc:oracle:thin:@server:1521:database</connection-url>
    <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
    <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
    <security-domain>SecurityUser_EncryptDBPassword</security-domain>
    <min-pool-size>1</min-pool-size>
    <max-pool-size>30</max-pool-size>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      <metadata>         <type-mapping>Oracle9i</type-mapping>
      </metadata>
  </local-tx-datasource>
 </datasources>
{code}

That in turn uses a security-domain so that we don't have a cleartext password in our xml file. The security domain is specified in conf/login-config.xml file:

{code:xml}
  <application-policy name="SecurityUser_EncryptDBPassword">
      <authentication>
          <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
              <module-option name="username">...</module-option>
              <module-option name="password">...</module-option>
              <module-option name="managedConnectionFactoryName">jboss.jca:name=securityUserDS,service=LocalTxCM</module-option>
          </login-module>
      </authentication>
  </application-policy>
{code}

The problem is that, sometimes, when we start up jboss, we get a "securityUserDS not bound" exception, because something tries to access our custom login module (both the jmx console and our JMS setup use our "my-company-policy") before the securityUser datasource has been deployed. Sometimes, this error does not occur.

So, the question is two-fold:

1. How can we specify an explicit dependency of our custom login module on the datasource?

2. How can we break the circular dependency? (login module (in login-config.xml) -> datasource -> security domain (in login-config.xml))

We are using JBoss AS 5.1.0 GA.

1. Login module that depends on a datasource

wolfgangknauf Jan 26, 2011 6:47 AM (in response to gubespam)

Hi,

I think this could be achieved by configuring the security domain using a DynamicLoginConfig: http://community.jboss.org/wiki/DynamicLoginConfig
This would replace the "login-config.xml" configuration.
When declaring this MBEan, you can specify a "depends" attribute, and now you have to find the name of your datasource in jmx-console.

Hope this helps

Wolfgang
Actions