This content has been marked as final.
Show 5 replies
-
1. Re: JAAS authentication always succeeds
jbalunas.jbalunas.jboss.org Mar 6, 2008 3:24 PM (in response to emsa)What does your
authenticator.authenticate
method look like?
-
2. Re: JAAS authentication always succeeds
emsa Mar 6, 2008 4:10 PM (in response to emsa)I do not have one since I'm using the one Built into Seam.
I think I have found the main issue, there was an
unauthenticatedIdentity
set in the JAAS configuration.This made the Seam authentication succeed in the manner described above.
-
3. Re: JAAS authentication always succeeds
jbalunas.jbalunas.jboss.org Mar 6, 2008 4:24 PM (in response to emsa)Do you mean the one that is in
seam-gen
and/or some of the examples?The default Authenticator lets everything though - there is not check at all. That would explain what you are seeing.
public class Authenticator { @Logger Log log; @In Identity identity; public boolean authenticate() { log.info("authenticating #0", identity.getUsername()); //write your authentication logic here, //return true if the authentication was //successful, false otherwise identity.addRole("admin"); return true; } }
-
4. Re: JAAS authentication always succeeds
keithnaas Mar 6, 2008 9:02 PM (in response to emsa)This is controlled by the allowEmptyPasswords setting in the jboss login-config.xml - at least for the LdapLoginModule and the LdapExtLoginModule.
<application-policy name = "LdapToActiveDirectory"> <authentication\> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>...... <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>
For more details, see the javadocs or the jbossas docs
-
5. Re: JAAS authentication always succeeds
emsa Mar 7, 2008 11:11 AM (in response to emsa)Thanks, there's always one more setting ... ;-)