5 Replies Latest reply on Mar 7, 2008 11:11 AM by emsa

    JAAS authentication always succeeds

    emsa
    emsa Mar 6, 2008 9:27 AM

      I'm trying to make Seam authenticate using my own realm.


      I have set up the Realm in login-config.xml and mapped the Realm in Seam with:


      <security:identity
  authenticate-method="#{authenticator.authenticate}" 
  jaas-config-name="MyRealm"/>



      so far so good.


      When logging in with a correct username and password I am authenticated as expected as well as when issuing a bad username and password I am not.


      But when issuing any username and an empty password I am always beeing authenticated.


      Also a bit wierd is that as soon as some identity is accepted furher logins using Seam will always succeed (maybe just in the same session), no check is done against the JAAS Realm; as far as I can see with full debug trace on.


      In the debugger I can see that only the expected Realm is used in the login process but it just ends with a success more often than I would like it to.


      I could really use som guidance ...

        • 1. Re: JAAS authentication always succeeds
          jbalunas.jbalunas.jboss.org
          jbalunas.jbalunas.jboss.org Mar 6, 2008 3:24 PM (in response to emsa)

          What does your 


          authenticator.authenticate



          method look like?

            • Actions
          • 2. Re: JAAS authentication always succeeds
            emsa
            emsa Mar 6, 2008 4:10 PM (in response to emsa)

            I do not have one since I'm using the one Built into Seam.


            I think I have found the main issue, there was an unauthenticatedIdentity set in the JAAS configuration.


            This made the Seam authentication succeed in the manner described above.

              • Actions
            • 3. Re: JAAS authentication always succeeds
              jbalunas.jbalunas.jboss.org
              jbalunas.jbalunas.jboss.org Mar 6, 2008 4:24 PM (in response to emsa)

              Do you mean the one that is in seam-gen and/or some of the examples?


              The default Authenticator lets everything though - there is not check at all.  That would explain what you are seeing.


              public class Authenticator
{
    @Logger Log log;
    
    @In Identity identity;
   
    public boolean authenticate()
    {
        log.info("authenticating #0", identity.getUsername());
        //write your authentication logic here,
        //return true if the authentication was
        //successful, false otherwise
        identity.addRole("admin");
        return true;
    }
}



                • Actions
              • 4. Re: JAAS authentication always succeeds
                keithnaas
                keithnaas Mar 6, 2008 9:02 PM (in response to emsa)

                This is controlled by the allowEmptyPasswords setting in the jboss login-config.xml - at least for the LdapLoginModule and the LdapExtLoginModule.


                <application-policy name = "LdapToActiveDirectory">
       <authentication\>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
          <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>......
          <module-option name="allowEmptyPasswords">false</module-option>
         </login-module>
       </authentication>
    </application-policy>




                For more details, see the javadocs or the jbossas docs

                  • Actions
                • 5. Re: JAAS authentication always succeeds
                  emsa
                  emsa Mar 7, 2008 11:11 AM (in response to emsa)

                  Thanks, there's always one more setting ... ;-)

                    • Actions