JBossDeveloper

Hi.

There are several Handlers in the Jboss security jar. I tested mine using the UserPassword handler and it worked. I gersonjohan used the client which is I believe the default method. There are several others all requiring different information passed to them.

I'm not an expert but, the handler takes the users credentials so it can be associated to an authentication service such as the ones found in login config, used in creating a login context. In essence it takes care of creating the principle structures and populating user information.

UsernamePasswordHandler cbh = new UsernamePasswordHandler(USER_ID, PASSWORD.toCharArray());

// Attempt login:

LoginContext lc = new LoginContext(JAAS_JNDI_REFERENCE_FOR_PORTAL, cbh);
lc.login();

resp.sendRedirect(DEFAULT_PORTAL_URI);

Sorry - Just to clarify, how do I do this part so that I bypass the login page:

resp.sendRedirect(DEFAULT_PORTAL_URI);

- Connect to JAAS LoginModule of portal
- Execute login procedure

I don't think you can, you can use this to authenticate to using the portal security but, you will not be authorized to access the secure portal pages. This is basically a two step process. Authorization in a basic JAAS example would use a filter to secure what areas can be accessed after authentication.

That is what j_security_check is mainly doing for the portal at a very low level thus making it secure. "Sohil" wrote on this in several JAAS post, you need to get the Tomcat code for the valve and look at it. Then it will begin to make sense to what needs to done to hack the code and write your own module.

Thanks a lot for the info. Here is one of the posts that creative is referring to:

[url]http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4073177#4073177

OK, question - I spent today reading the Tomcat valve documentation, and I plugged in a simple example that I found in the following post (the response by user tellarsrinivasprabhu):

http://www.jboss.com/index.html?module=bb&op=viewtopic&t=116375

This almost worked. I was able to set the roles within the valve, and I see "Logged in as 'my user'" at the top of the portal page; For test purposes, I added Authenticated, Admin, Users roles to the user (inside of the valve), and I now see Dashboard | Admin | Logout at the top of the portal page, as expected. The login page was bypassed, which is great.

The only problem I have now is that when I click on the Dashboard link, I get a 403 forbidden error. The Admin and Logout links both work correctly.

Does anybody know why I would be getting the 403 code for the dashboard link only? Here is the code in my valve.

Any insight would be greatly appreciated. Thanks!

public void invoke(Request request,Response response) throws java.io.IOException,
javax.servlet.ServletException
 {
 appLogger.info("%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%");
 appLogger.info("%%%%%% **** CUSTOM SSO VALVE invoke() method BEGIN **** %%%%%%%");
 appLogger.info("%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%");

 // super.invoke(request, response);

 List roles = new ArrayList();

 // Group rolesGroup = new SimpleGroup("Roles");
 // rolesGroup.addMember(new SimplePrincipal("Authenticated")); // Must add authenticated principle
 // rolesGroup.addMember(new SimplePrincipal("Admin")); // Grant portal admin rites (Test only)
 // rolesGroup.addMember(new SimplePrincipal("Users")); // Grant portal Users rites (Test only)

 roles.add("Authenticated");
 roles.add("Users");
 roles.add("Admin");
 roles.add("testrole");

 //

 Group roleGroup = new SimpleGroup("Roles");

 for (int i = 0; i < roles.size(); i++)
 {
 String rname = (String) roles.get(i);
 Principal p = new SimplePrincipal(rname);
 roleGroup.addMember(p);
 }

 Subject subj = new Subject();
 subj.getPrincipals().add(new SimplePrincipal(USER_ID));
 subj.getPrincipals().add(roleGroup);
 SecurityAssociation.setSubject(subj);

 request.setUserPrincipal(new GenericPrincipal(request.getContext().getRealm(), USER_ID,PASSWORD,
 roles));

 getNext().invoke(request, response);

 appLogger.info("%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%");
 appLogger.info("%%%%%% **** CUSTOM SSO VALVE invoke() method COMPLETED **** %%%%");
 appLogger.info("%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%");
 }

i have the same issue.

i'm using sso cas with jboss portal. (with servlet filter and not a valve)
i also have a customLoginModule.

what is working:
- user is redirect to sso login page
- user log on
- user get a jaas context throw my customLoginpage

then he is redirect to default page of default portal and not to my dashboard (as configured in jboss-portal.sar\conf\config.xml)

admin/configure links work, but dashboard link raise a 403 forbidden error like NM-156.

i also tried to drop security constraint (authenticated) in portal-server/web.xml, but nothing change.

regards

cpage - I too have a custom LoginModule involved here. I backtracked a little and the problem appears to be with my LoginModule.

Try deactivating your valve temporarily. Leave your LoginModule active, and see if you get the same results when you try the Dashboard link after login.

I vertified this by deactivating my valve first, then I activated my LoginModule (only). My LoginModule extends AbstractServerLoginModule. Here is the overridden getRoleSets() method (getIdentity() simply returns a Principal created with the login name). Anybody know what could be causing the 403 error on the dashboard link? Admin and Logout links still work fine. Thanks.

 protected Group[] getRoleSets() throws LoginException
 {
 logger.info("%%%%% - CALLING LoginModule.getRoleSets() method from PORTAL %%%%%");

 Group rolesGroup = new SimpleGroup("Roles");
 rolesGroup.addMember(new SimplePrincipal("Authenticated")); // Must add authenticated principle
 rolesGroup.addMember(new SimplePrincipal("Users")); // Gives user Users rites (Test)
 rolesGroup.addMember(new SimplePrincipal("Admin")); // Gives user Administrators rites (Test)
 rolesGroup.addMember(new SimplePrincipal("testrole")); // Custom test role

 // Note that the identity needs to exist as a user account inside the portal prior to login

 rolesGroup.addMember(getIdentity()); // Add login identity as role (Test)

 return new Group[] { rolesGroup };
 }

I fixed the 403 error. I put the explanation here:

http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4088974#4088974