2 Replies Latest reply on Jun 14, 2015 4:49 PM by pmatthews

JAAS Custom Login Module using JPA Modele from EJB

buggsbuny101 Jun 3, 2015 5:06 PM

Hello all,

I want to use JAAS to manage athentication and authorization on a web application using JPA / EJB / JSF, and potentially a heavy client directly calling EJB.

I try to get a global vision on what to do with JAAS, using my EJB-DAO's layer to authenticate user.

My problem is with the realm definition, my CustomsLoginModule and the EJB deployment.

Since I want to use my EJB to obtain information for authetification, I have to deploy my EJB before defining my realm (wich embend the CustomsLoginModule). But this realm definition is part of the serveur configuration.

Is My questions are simple :

1) Is there a way to definie my security-domain directly in the EJB / JSF deployement

2) If no, is there a way to do JAAS authentication using JPA and specific data model

3) Did I missed anything?

Thanks.

1. Re: JAAS Custom Login Module using JPA Modele from EJB

buggsbuny101 Jun 13, 2015 2:20 PM (in response to buggsbuny101)

Hello,

I'm still looking for a way to make JAAS athentitication and authorization on the WWW but I don't found nothing.

I will start to try a JPALoginModule based on the UsernamePasswordLoginModule Jboss class.

To do this, the first element is to export EntityManager

			<property name="jboss.entity.manager.factory.jndi.name" value="java:jboss/DivingReservationEntityManagerFactory" />
			<property name="jboss.entity.manager.jndi.name" value="java:/DivingReservationEntityManager"/>

to get acces to the JPA layer in the server context.

I'm not sure this will work since my transactions are managed in EJB Continer context.

I'll try and see.

If someone allready try this, please keep me informed.

2. Re: JAAS Custom Login Module using JPA Modele from EJB

pmatthews Jun 14, 2015 4:49 PM (in response to buggsbuny101)
I have a similar questions. We have an application that uses JAAS for authentication as follows:. (On Tomcat this works)

Implemented LoginModule via a custom class. This class gets a connection to the DB via EntityManagerFactory, This class is in the war file deployed to tomact.
Edited .jaars.login.config to have an entry for our custom realm that simple provide the fully qualified class name for our implementation
Edited java.security to have the entry login.config.url.1 point to our .jaas.login.config file,
In our servlet handling authentication we simply call new LoginContext and retrieve an instance of our LoginModule and proceed to authenticate. (Note we are not using form based authentication nor any of the JEE standard authentication options)

We are converting the application to run on JBoss but it appears that the custom LoginModule is not being detected. There are no error messages printed but the login simply fails. I have tried the following:

Added a security domain to the standalone.xml file.

<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="za.co.example.security.DatabaseAuthModule" flag="required"/>
</authentication>
</security-domain>

2 Reset the java.security file to not refer to ur .jaas.login.config file.

But no luck. I am not sure if I am using security-domains correctly. All the documentation seems to be about using security domains declaratively using web.xml etc and not how to implment JAAS and your own security handling. Any assistance appreciated.
Actions

Go to original post

	<security-domain name="MySecurityDomain" cache-type="default">
	<authentication>
	<login-module code="za.co.example.security.DatabaseAuthModule" flag="required"/>
	</authentication>
	</security-domain>