9 Replies Latest reply on Sep 17, 2008 3:23 AM by Kobye

    Problem with Custom Auth Module

    David Hoffman Newbie

      I have a custom auth module that I have written to extend the UsernamePasswordLoginModule:

      public class SASAuth extends UsernamePasswordLoginModule
      


      My login-config.xml looks like this:

       <application-policy name="portal">
       <authentication>
       <login-module code="com.workscape.auth.modules.sas.SASAuth" flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
       <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      I have numerous logging statements throughout each function in my auth module.

      My Auth Module works just find exception under one specific circumstance.

      When "UserA" logs into the portal from "BrowserA" my auth module is successful and dumps every single logging entry from my auth module. If "UserA" logs into the portal from "BrowserB" (before the previous login has been logged out) the user is logged in successfully, but there is not one single logging entry made. It does not init, doesn't execute login() or validatePassword() but logs the user in nonetheless. Entering invalid credentials fails, as one would expect, but it still never logs a single entry nor fires any of the methods within the auth module.

      It should be noted that "BrowserA"/"BrowserB" is meant to be read generically, it does not matter whether you are using IE/FF etc.


      Configuration:

      JBoss Portal Server 2.6.3GA Bundled With App Server
      Out of the Box Datastore
      Java SDK 1.6.0_02


      I can post my full code if needed, but I am hoping that the description of the problem is enough to trip something in someone's mind. Furthermore, I am hoping that there is a simple configuration change to add to login-config.xml, but I won't hold my breath :)

        • 1. Re: Problem with Custom Auth Module
          Kobye Novice

          An advice,you should use org.jboss.portal.identity.auth.IdentityLoginModule or
          org.jboss.portal.identity.auth.DBIdentityLoginModule or org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule as you custom loginmodule base class.
          It's not a good idea to extend from UserNameAndPasswordLoginModule directly.

          • 2. Re: Problem with Custom Auth Module
            Kobye Novice

            BTW,I have done custom SSO with cas successfly.

            • 3. Re: Problem with Custom Auth Module
              Youssef Mohammed Newbie

               

              "jsports" wrote:
              BTW,I have done custom SSO with cas successfly.



              congrats !
              mind to share the experience ?


              • 4. Re: Problem with Custom Auth Module
                Kobye Novice

                It's very easy to do.
                There are 2 steps.
                1.Cas Authentication
                You can write a public class CASAuthenticationService implements org.jboss.portal.identity.sso.AuthenticationService
                ,
                then define it as a MBean in jboss-portal.sar/meta-inf/jboss-service.xml,
                the MBean should like this:

                 <mbean code="org.jboss.portal.identity.sso.cas.CASAuthenticationService"
                 name="portal:service=Module,type=CASAuthenticationService"
                 xmbean-dd=""
                 xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
                 <xmbean/>
                 <depends>portal:service=Module,type=IdentityServiceController</depends>
                 <attribute name="HavingRole"></attribute>
                 </mbean>
                

                you can decalre the resource you need as attribute,and remove the resource you does not use.
                you can change the class name,but should not chanage
                name="portal:service=Module,type=CASAuthenticationService".

                2.jboss portal loginmodule
                define a loginmodule what you like,extends from the several calss I mentioned before,override validatePassword method like the below:
                 protected boolean validatePassword(String inputPassword,
                 String expectedPassword) {
                 // logger.info("inputPassword=="+inputPassword);
                 // logger.info("expectedPassword=="+expectedPassword);
                 HttpServletRequest request = null;
                 try {
                 request = (HttpServletRequest) PolicyContext
                 .getContext("javax.servlet.http.HttpServletRequest");
                 } catch (Exception e) {
                 log.error(this, e);
                 throw new RuntimeException(e);
                 }
                 if (request != null) {
                 Object ssoSuccess = request.getAttribute("ssoSuccess");
                 // logger.info("ssoSuccess=="+ssoSuccess);
                 if (ssoSuccess != null) {
                 return true;
                 }
                 }
                 return super.validatePassword(inputPassword, expectedPassword);
                 }
                


                then change the loginmodule declaration in jboss-portal.sar\conf\login-config.xml as your class.



                • 5. Re: Problem with Custom Auth Module
                  Kobye Novice

                  there is still a important step before the 2 steps.
                  You should make cas sso integrate with portal first.
                  then you can follow the 2 steps.
                  jboss portal reference docs can tell you how to integrate cas and jboss portal.

                  • 6. Re: Problem with Custom Auth Module
                    Java User Newbie

                    Hi i'm facing the Problem with configuring the ldap in jboss portal
                    Plz look at ones.
                    I'm using jboss portal 2.6.5 and open ldap.
                    I have created an .ldif file according to my company requirements and it works fine with other applications except Jboss portal.

                    My problem is, in my .ldif file i mentioned "my-user" for holding username and "my-pwd" for holding password.
                    and in my ldap_identity-config.xml file i mentioned accordingly as givebellow.


                    uidAttributeID
                    my-user


                    passwordAttributeID
                    my-pwd


                    But while i'm trying to access i'm not getting any error on console and simply the page is redirected to some other error page which shows "The user doesn't exist or the password is incorrect " .and in log file i'm getting the message like "Bad password for the user XXXXX" (even if i entered correct user name and password), but if i use "userPassword" name for holding the password in .ldif file it works fine.

                    if i use "userPassword" name and even if i disabling the following code in ldap_identity-config.xml it works fine.


                    passwordAttributeID
                    userPassword


                    But i should mention uidAttributeID like below


                    uidAttributeID
                    my-user


                    and after doing some R&D on this, finally i came to know that the jboss is not at all reading the following snipet.


                    passwordAttributeID
                    my-pwd


                    but my requirement is i should use "my-pwd" attribute id for holding the password.

                    How to do that..? any help is appriciated.......

                    • 7. Re: Problem with Custom Auth Module
                      Kobye Novice

                      if you use sso, you should do authentication before jboss loginmodule,and in the jboss loginmodule login method just return true ,and the loginmodule should provide the role information.

                      if you do not use sso,then check the password,and provide the role information in the loginmodule.

                      the loginmodule you write should extend from org.jboss.portal.identity.auth.SynchronizingLdapExtLoginModule or org.jboss.portal.identity.auth.SynchronizingLdapLoginModule .THen you can do what you want to do.

                      override some methods and read the source code if necessary.


                      • 8. Re: Problem with Custom Auth Module
                        Java User Newbie

                        hi Jsports,
                        thanks for your reply...
                        You mean to say that i need to write a new class which extends synchronise module and in that class i need to metion role details as well Right ?

                        If you don't mine can you clear it again.......plz post a sample code if u have...

                        • 9. Re: Problem with Custom Auth Module
                          Kobye Novice

                          yes.
                          I think you are clear now.

                          Sorry.
                          I have not writen the ldap loginmodule code,
                          because we use DB .

                          BTW,it's very simple to write you own ldap loginmodule, synchronise module provide most the basic code,you just need to override some method.