1 Reply Latest reply on Jan 26, 2011 6:47 AM by Wolfgang Knauf

    Login module that depends on a datasource

    Mike M Newbie

      We have a custom login module implementation that reads role-related (authorization) information from a database. To achieve that, we have (in conf/login-config.xml):

       

      {code:xml}

        <application-policy name="my-company-policy">

          <authentication>

             <login-module code="com.et.security.ETLoginModule" flag="required" >

                <module-option name="java.naming.provider.url">...</module-option>

                <module-option name="bindDN">...</module-option>

                <module-option name="bindCredential">...</module-option>

                <module-option name="baseCtxDN">...</module-option>

                <module-option name="baseFilter">...</module-option>

                <module-option name="allowEmptyPasswords">false</module-option>

                <module-option name="dsJndiName">java:/securityUserDS</module-option>

                <module-option name="roleQuery">...</module-option>

             </login-module>

          </authentication>

        </application-policy>

      {code}

       

      As shown, this has an implicit dependency on a datasource called "securityUserDS". The security_user-ds.xml file looks like:

       

      {code:xml}

      <datasources>

        <local-tx-datasource>

          <jndi-name>securityUserDS</jndi-name>

          <connection-url>jdbc:oracle:thin:@server:1521:database</connection-url>

          <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>

          <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>

          <security-domain>SecurityUser_EncryptDBPassword</security-domain>

          <min-pool-size>1</min-pool-size>

          <max-pool-size>30</max-pool-size>

          <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
            <metadata>

               <type-mapping>Oracle9i</type-mapping>

            </metadata>

        </local-tx-datasource>

      </datasources>

      {code}

       

      That in turn uses a security-domain so that we don't have a cleartext password in our xml file. The security domain is specified in conf/login-config.xml file:

       

      {code:xml}

        <application-policy name="SecurityUser_EncryptDBPassword">

            <authentication>

                <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

                    <module-option name="username">...</module-option>

                    <module-option name="password">...</module-option>

                    <module-option name="managedConnectionFactoryName">jboss.jca:name=securityUserDS,service=LocalTxCM</module-option>

                </login-module>

            </authentication>

        </application-policy>

      {code}

       

      The problem is that, sometimes, when we start up jboss, we get a "securityUserDS not bound" exception, because something tries to access our custom login module (both the jmx console and our JMS setup use our "my-company-policy") before the securityUser datasource has been deployed. Sometimes, this error does not occur.

       

      So, the question is two-fold:

      1. How can we specify an explicit dependency of our custom login module on the datasource?

      2. How can we break the circular dependency? (login module (in login-config.xml) -> datasource -> security domain (in login-config.xml))

       

      We are using JBoss AS 5.1.0 GA.