Tried to comment out the SetCurrentIdentityFilter in the web.xml and also tried to chain my own login module with org.exoplatform.services.security.jaas.IdentitySetLoginModule. Neither worked.
Really appreciate it if you can help.
Yes, you will need to chain your login module with org.exoplatform.services.security.j2ee.JbossLoginModule if you are using GateIn on JBoss. So your gatein.ear/META-INF/gatein-jboss-beans.xml can look similar to this:
<login-module code="org.something.YourLoginModule" flag="required">
<login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
Especially you can look to source code of this class and you will see this in commit() method of class DefaultLoginModule (superclass of JbossLoginModule):
And this is needed for correct work with SetCurrentIdentityFilter.
It's also possible that you will need to use something like this in your login module to avoid authentication with GateIn authenticator:
but then you will need to override your login with org.exoplatform.services.security.jaas.AbstractLoginModule.
You can take inspiration of GateIn SSO solution which is described in GateIn reference guide - chapter 3. And you can look to source code of class org.gatein.sso.agent.login.SSOLoginModule.
Most important source codes for you will be in
GateIn sso-agent library: http://anonsvn.jboss.org/repos/gatein/components/sso/trunk/agent/
Hope this helps,
And you will need class org.exoplatform.services.security.j2ee.TomcatLoginModule if you are using GateIn on Tomcat.
Thanks very much for the information.
I tried a few things based on your reply but still could not get it to work.
First, I chained the JBossLoginModule to my firm's login module, with the default module-options values. The login failed and I saw the following lines in the log:
[core.DefaultLoginModule] In login of DefualtLoginModule
[core.DefaultLoginModule] Try create identity
[core.DefaultLoginModule] Login failed for xxx
The log before these lines show that I passed the firmwide login authentication successfully. I cannot find the place that prints this line in the DefaultLoginModule class.
Second, I tried changing the value of the realmName from 'gatein-domain' to be the same as the name attrib for my own application-polity in the gatein-jboss-beans.xml. Same behavior.
By looking at the source code of the DefaultLoginModule, the only way to bypass the gatein authenticator is to have the identify set in the SharedState object. The problem is that the login module distributed by my firm does not store anything in the ShareState object. What are my options here?
You mentioned something about overriding my module with AbstractLoginModule. Were you suggest to replace the firm's module with something of my own based on AbstractLoginModule?
One option I am thinking is to extend the firm's class and overwrite the login method because it does store user name in a class var. So if the firm's login returns true, then I set the user name and Identify class in SharedState in the login method.
Do you see any problem with this approach? Please let me know if there is a better way of doing this.
It's interesting that you are not seeing the lines you sent. Did you look at correct class? Because I am seeing this in DefaultLoginModule.login():
log.debug("Use Identity from previous LoginModule");
identity = (Identity)sharedState.get("exo.security.identity");
log.debug("Try create identity");
Authenticator authenticator = (Authenticator)getContainer().getComponentInstanceOfType(Authenticator.class);
String userId = authenticator.validateUser(credentials);
identity = authenticator.createIdentity(userId);
catch (final Throwable e)
throw new LoginException(e.getMessage());
So it's obvious that you don't have "exo.security.identity" in your sharedState map so you are going to else branch. And line authenticator.validateUser(credentials) is throwing exception for you because credentials should not be authenticated against GateIn Authenticator but against Authenticator of your firm.
In shortcut, in DefaultLoginModule.login(), You mustn't fell down into "else" but you must go through "if" part. This means that you should have identity under key "exo.security.identity" already in your sharedState map. So you are right in your last paragraph.
Is it possible for you to edit the login module from your firm to inherit from org.exoplatform.services.security.jaas.AbstractLoginModule? This will give you access to sharedState map in your login module. Because you really need to have identity in your sharedState map with key "exo.security.identity" before the JbossLoginModule.login method is executed (last module in the chain). Maybe you can try other things you mentioned in your last paragraph.
I think that good inspiration for you should be source code of other login modules in GateIn. Another good thing can be debugging of GateIn authentication in Eclipse or some other IDE. This will give you good overview how are things working under the hood.