I'm still looking for a way to make JAAS athentitication and authorization on the WWW but I don't found nothing.
I will start to try a JPALoginModule based on the UsernamePasswordLoginModule Jboss class.
To do this, the first element is to export EntityManager
<property name="jboss.entity.manager.factory.jndi.name" value="java:jboss/DivingReservationEntityManagerFactory" /> <property name="jboss.entity.manager.jndi.name" value="java:/DivingReservationEntityManager"/>
to get acces to the JPA layer in the server context.
I'm not sure this will work since my transactions are managed in EJB Continer context.
I'll try and see.
If someone allready try this, please keep me informed.
I have a similar questions. We have an application that uses JAAS for authentication as follows:. (On Tomcat this works)
- Implemented LoginModule via a custom class. This class gets a connection to the DB via EntityManagerFactory, This class is in the war file deployed to tomact.
- Edited .jaars.login.config to have an entry for our custom realm that simple provide the fully qualified class name for our implementation
- Edited java.security to have the entry login.config.url.1 point to our .jaas.login.config file,
- In our servlet handling authentication we simply call new LoginContext and retrieve an instance of our LoginModule and proceed to authenticate. (Note we are not using form based authentication nor any of the JEE standard authentication options)
We are converting the application to run on JBoss but it appears that the custom LoginModule is not being detected. There are no error messages printed but the login simply fails. I have tried the following:
- Added a security domain to the standalone.xml file.
<security-domain name="MySecurityDomain" cache-type="default"> <authentication> <login-module code="za.co.example.security.DatabaseAuthModule" flag="required"/> </authentication> </security-domain>
2 Reset the java.security file to not refer to ur .jaas.login.config file.
But no luck. I am not sure if I am using security-domains correctly. All the documentation seems to be about using security domains declaratively using web.xml etc and not how to implment JAAS and your own security handling. Any assistance appreciated.