Custom JAAS login module subject association to the container
dvsridhar May 8, 2013 12:47 PMHi,
We have a legacy financial application that works with weblogic and websphere, currently we are trying to add support for Jboss 7.1. We have our own JAAS based common security framework works perfectly fine with the mentioned vendors (ofcourse with vendor specific JAAS integration API's).
I tried the following way to add our custom login module to jboss domain.xml security domain. The JbossCSFBaseLoginModule gets called and Subject gets created but authenticated subject is not getting associated to the container.
Since this is a legacy code I can't really start from extending Jboss SX AbstractServerLoginModule. However, I want to get the current authenticated subject from container to avoid multiple authentications. So I tried the following way and I always get null Subject.
Subject subject=null; | |||
try { | |||
subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container"); | |||
return subject; | |||
} catch (PolicyContextException e) { | |||
// TODO Auto-generated catch block | |||
e.printStackTrace(); | |||
} |
So, I dig deeper into JBoss SubjectPolicyContextHandler code which essentially gets associated during the bootup.
During the debug I noticed
SubjectInfo si = sc.getSubjectInfo();
if(si != null)
{
Subject activeSubject = si.getAuthenticatedSubject();
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)sc.getIncomingRunAs();
both activeSubject and callerRunAsIdentity are resulting in null value's that's why I was getting the null subject.
My question is how can I create subjectinfo after successfull LoginModule commit phase to associate our authenticated subject that has custom principals?
Do I need to anything on the following lines to push the authenticated subject in the SubjectInfo.
SecurityContext ctx=SecurityContextAssociation.getSecurityContext(); | ||
JBossSecurityContextUtil securityContextUtil= new JBossSecurityContextUtil(ctx); | ||
securityContextUtil.createSubjectInfo(moSubject.get, moSubject, moSubject); |
Do I need to pick up implementations of getRoleSets(), getIdentity(), createGroup() implemenations from AbstractServerLoginModule? Essentially the whole group and roles stuff. Is that really essential to make this subject association work?
Any help appreciated.
Thanks,
SD
JbossCSFBaseLoginModule
package com.ams.core.appserver.enterprise;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.plugins.JBossSecurityContextUtil;
import com.ams.csf.auth.CSFBaseLoginModule;
public class JbossCSFBaseLoginModule extends CSFBaseLoginModule {
@Override
public void initialize(Subject foSubject, CallbackHandler callbackHandler, Map sharedState, Map options) {
super.initialize(foSubject, callbackHandler, sharedState, options);
}
@Override
public boolean login() throws LoginException {
boolean flag=super.login();
if(flag){
}
return flag;
}
@Override
public boolean abort() throws LoginException {
boolean flag=super.abort();
if(flag){
}
return flag;
}
@Override
public boolean commit() throws LoginException {
boolean flag=super.commit();
if(flag){
SecurityContext ctx=SecurityContextAssociation.getSecurityContext();
JBossSecurityContextUtil securityContextUtil= new JBossSecurityContextUtil(ctx);
// securityContextUtil.createSubjectInfo(moSubject.getPrincipals()., moSubject, moSubject);
}
return flag;
}
@Override
public boolean logout() throws LoginException {
boolean flag=super.logout();
if(flag){
}
return flag;
}
}
domain.xml
-------------------------
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="com.ams.core.appserver.enterprise.JbossCSFBaseLoginModule" flag="sufficient"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
...........
jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
<security-role id="fdx">
<role-name>*</role-name>
</security-role>
</jboss-web>
........
web.xml has the following.. security related info..
<security-role> | |||
<description /> | |||
<role-name>fdx</role-name> | |||
</security-role> | |||
<security-role> | |||
<description /> | |||
<role-name>fdx-admin</role-name> | |||
</security-role> | |||
<security-role> | |||
<description /> | |||
<role-name>fdx-user</role-name> | |||
</security-role> | |||
<resource-ref id="ResourceRef_fdx_security"> | |||
<res-ref-name>fdx.security</res-ref-name> | |||
<res-type>javax.sql.DataSource</res-type> | |||
<res-auth>Container</res-auth> | |||
<res-sharing-scope>Shareable</res-sharing-scope> | |||
</resource-ref> | |||
<security-constraint> | |||
<web-resource-collection> | |||
<web-resource-name>restricted methods</web-resource-name> | |||
<url-pattern>/*</url-pattern> | |||
<http-method>TRACE</http-method> | |||
<http-method>OPTIONS</http-method> | |||
<http-method>DELETE</http-method> | |||
</web-resource-collection> | |||
<auth-constraint> | |||
<role-name>fdx-admin</role-name> | |||
<role-name>fdx-user</role-name> | |||
<role-name>fdx</role-name> | |||
</auth-constraint> | |||
</security-constraint> |