Login module that depends on a datasource
gubespam Jan 25, 2011 6:23 PMWe have a custom login module implementation that reads role-related (authorization) information from a database. To achieve that, we have (in conf/login-config.xml):
{code:xml}
<application-policy name="my-company-policy">
<authentication>
<login-module code="com.et.security.ETLoginModule" flag="required" >
<module-option name="java.naming.provider.url">...</module-option>
<module-option name="bindDN">...</module-option>
<module-option name="bindCredential">...</module-option>
<module-option name="baseCtxDN">...</module-option>
<module-option name="baseFilter">...</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="dsJndiName">java:/securityUserDS</module-option>
<module-option name="roleQuery">...</module-option>
</login-module>
</authentication>
</application-policy>
{code}
As shown, this has an implicit dependency on a datasource called "securityUserDS". The security_user-ds.xml file looks like:
{code:xml}
<datasources>
<local-tx-datasource>
<jndi-name>securityUserDS</jndi-name>
<connection-url>jdbc:oracle:thin:@server:1521:database</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<security-domain>SecurityUser_EncryptDBPassword</security-domain>
<min-pool-size>1</min-pool-size>
<max-pool-size>30</max-pool-size>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata><type-mapping>Oracle9i</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
{code}
That in turn uses a security-domain so that we don't have a cleartext password in our xml file. The security domain is specified in conf/login-config.xml file:
{code:xml}
<application-policy name="SecurityUser_EncryptDBPassword">
<authentication>
<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username">...</module-option>
<module-option name="password">...</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=securityUserDS,service=LocalTxCM</module-option>
</login-module>
</authentication>
</application-policy>
{code}
The problem is that, sometimes, when we start up jboss, we get a "securityUserDS not bound" exception, because something tries to access our custom login module (both the jmx console and our JMS setup use our "my-company-policy") before the securityUser datasource has been deployed. Sometimes, this error does not occur.
So, the question is two-fold:
1. How can we specify an explicit dependency of our custom login module on the datasource?
2. How can we break the circular dependency? (login module (in login-config.xml) -> datasource -> security domain (in login-config.xml))
We are using JBoss AS 5.1.0 GA.