Why are my roles disappearing between JAAS and Seam?
Hey everyone,
I'm having some troubles with roles and I am not sure what is the cause. The problem I am trying to solve: I need to authenticate users against LDAP and pull role information from a different propritary schema. To facilitate this I've written a LoginModule.
The issue I am having is a somewhat unclear to me, but I will do my best to explain it.
My LoginModule's commit is doing basically this (Among a few other things):
SimpleGroup roleSet = new SimpleGroup("Roles");
for(String name : getRolesFor(identity)) {
roleSet.addMember(new SimplePrincipal(name));
}
subject.getPrincipals().add(roleSet);
As far as I can tell from taking apart examples in JBoss-SX this is more or less the correct way to do this. I was originally just providing a getRoleSets() from AbstractServerLoginModule, but I ran into this issue.
The roles I am adding in the LoginModule aren't visible to Seam's Identity via bean injection. If I debug my Identity object it looks fairly empty:
Subject:
Principal: admintestuser1
Principal: Roles(members)
If I place the roles into something other than Identity.ROLES_GROUP I get
Subject:
Principal: admintestuser1
Principal: hrrugh(members:TheDuke)
which is what I expected to get in the Identity.ROLES_GROUP.
Clearly I am misunderstanding something here. Why are my roles being removed?
web.xml
<security-role>
<description>Long winded discription</description>
<role-name>TheDuke</role-name>
</security-role>
login-config.xml
<application-policy name="ISSAuth">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="requisite">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://ldap.fqdn:636/</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=people,dc=fqdn</module-option>
<module-option name="uidAttributeID">userid</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="fqdn.APIRoleResolver.LoginModule" flag="optional">
</login-module>
</authentication>
</application-policy>
Thanks. I apologize for the atrocious formatting but I couldn't seem to make the syntax checker happy
I'm having some troubles with roles and I am not sure what is the cause. The problem I am trying to solve: I need to authenticate users against LDAP and pull role information from a different propritary schema. To facilitate this I've written a LoginModule.
The issue I am having is a somewhat unclear to me, but I will do my best to explain it.
My LoginModule's commit is doing basically this (Among a few other things):
SimpleGroup roleSet = new SimpleGroup("Roles");
for(String name : getRolesFor(identity)) {
roleSet.addMember(new SimplePrincipal(name));
}
subject.getPrincipals().add(roleSet);
As far as I can tell from taking apart examples in JBoss-SX this is more or less the correct way to do this. I was originally just providing a getRoleSets() from AbstractServerLoginModule, but I ran into this issue.
The roles I am adding in the LoginModule aren't visible to Seam's Identity via bean injection. If I debug my Identity object it looks fairly empty:
Subject:
Principal: admintestuser1
Principal: Roles(members)
If I place the roles into something other than Identity.ROLES_GROUP I get
Subject:
Principal: admintestuser1
Principal: hrrugh(members:TheDuke)
which is what I expected to get in the Identity.ROLES_GROUP.
Clearly I am misunderstanding something here. Why are my roles being removed?
web.xml
<security-role>
<description>Long winded discription</description>
<role-name>TheDuke</role-name>
</security-role>
login-config.xml
<application-policy name="ISSAuth">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="requisite">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://ldap.fqdn:636/</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=people,dc=fqdn</module-option>
<module-option name="uidAttributeID">userid</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="fqdn.APIRoleResolver.LoginModule" flag="optional">
</login-module>
</authentication>
</application-policy>
Thanks. I apologize for the atrocious formatting but I couldn't seem to make the syntax checker happy