1 Reply Latest reply on Aug 14, 2014 10:17 AM by Darran Lofthouse

    JBoss - Select login module programmatically

    Cássio Mazzochi Molin Newbie

      I am working on a web application, hosted on a JBoss AS 7.1.1, which will be used by users from two different companies.

      In order to authenticate, besides username and password, users must provide the company they belong to.
      And, according to the company, the authentication will be against a database or against an Active Directory server.

      I have a LdapExtLoginModule to authenticate against the Active Directory server:

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://ldaphost:389</module-option>
      <module-option name="bindDN">searchuser</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">CN=Users,DC=example,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,DC=example,DC=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">CN</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>

      And a DatabaseServerLoginModule to authenticate against the database:

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="unauthenticatedIdentity" value="guest"/>
      <module-option name="dsJndiName" value="java:/my-ds"/>
      <module-option name="principalsQuery" value="SELECT password FROM users WHERE username = ?"/>
      <module-option name="rolesQuery" value="SELECT DISTINCT role_id, 'Roles' FROM roles WHERE username = ?"/>

      According to the company the user provided, how can I manage the authentication and select the properly login module? Thanks for helping.

      This question was also asked on StackOverflow.

        • 1. Re: JBoss - Select login module programmatically
          Darran Lofthouse Master

          My suggestion would be to implement a custom login module that is in the security domain referenced by the web application.  The two different authentication approaches should be defined in their own security domains.


          The login module of the first security domain can then decide which security domain to make use of for that specific user.


          Just one thing to watch out for is if you have users with the same name in both stores in case you run into caching issues on the first security domain.

          1 of 1 people found this helpful