I think you have to extend org.jboss.security.auth.spi.AbstractServerLoginModule
and override the
I used a modified version of jCIFS from jcifs.samba.org to authenticate against our nt domain. This hack doesn't actually authenticate against the SAM. It uses an smb share on the server to authenticate the users. I don't use the NT roles though. My application has its own set of custom roles for the users. Im not sure how you would get this. From what I here, Weblogic teamed with JIntegra and they are offering an NT authentication module with their server. If you want to spend the cash on JIntegra, it will should be able to get the NT information for you.
I follow the steps of the article and I implement a custom login model for my application and it works ok, it don't use nt domain security but database security. I tried to use the NTLoginModule (a jaas implementation for nt provided by sun) to authenticate user on the server side, but it didn't work for 3 reasons:
1 - It only autenthicate a user thas is already logged in the system (it works fine for client side authentication and single sign on, but not for jboss)
2 - It don't use the Group interface to identify de groups of a subject, it uses NtGroup than don't implemnet the Group interface.
3 - The name of the group aren't really names, are ids of the groups.
I'll ask JIntegra if they have a real jaas implementation for nt domain security.
If they don't, I'll implementate a LoginModule using JNI to invoke the win32 security api.
Does your LoginModule engage the client's browser in the NTLM challenge/response dialog? Or does it collect the logname, domain, and passphrase from the user and authenticate to NT as a proxy?
Either way, I'd very much appreciate it if you would share your code.
Thanks in advance,
It collects the username and password from the user (BASIC or FORM) and sends it to the login module which uses the modified copy of jCIFS to authenticate against an SMB share on a server. Right now the domain is hardcoded, but it could be easily changed to accept a domain from the user. It doesn't require a client to be using Windows or IE, it's all on the server side.
I found the method to authenticate using jCIFS on jCIFS mailing list. just do a search for authenticate on their mailing list ( ive already forgotten where ). If you can't find it, let me know, I will send you the patch for jCIFS.
This all worked on 2.2.4. I haven't tested it with 3.0, but I will be doing it soon.
I have the jCIFS distro. What part(s) of jCIFS did you change/patch and why?
i would encourage people to look at connecting JBoss to Active Directory via LDAP for Windows-based authentication. We have implemented custom logon modules using this and the jCIFS approach. Active Directory is the way to go for Win2K networks, imho.
Your suggestion does appear to be the best way to go (for authenticating against NT). Is this something you've successfully done? If so, can you share your design specifics (and 'gotchas') with those of us just starting out on this path?
yes, we have successfully implemented an Active Directory plugin for Jboss. the bridge authenticates the user and populates his/her security creditials with those defined in Active Directory. this way you can control access to web/business components via Active Directory security. we have also implemented a BMP EJB wrapper for querying AD and representing users/groups as objects in your application.
This all works really well and is pretty much instantaneous. There were no major gotchas (except for one) but here are the challenges that we faced:
1. Understanding the LDAP attributes exposed by Active Directory - this was the first LDAP project we had done with AD.
2. Understanding which JBossSX class to subclass to create our module. We wound up subclassing the UsernamePasswordLoginModule and overriding the validatePassword() method to include the bulk of the LDAP logic.
3. Performing the correct queries to grab security roles.
4. (big gotcha)Coming to terms with the fact that there is NO WAY (as far as i can tell) to obtain the user's default NT security group (e.g. Domain Users) via 100% Java JNDI queries. This sounds counterintuitive but it is true. For performance reasons, Active Directory does not store a direct reference to the user's primary group. Instead, the primary group is derived by a function performed on the user's SID. While this is pretty easy to do in VB, there is no java class that will compute this for you. We wound up allowing the user to specify the default Windows group as an XML parameter (usually everybody in an organization has the same default group and that group is usually "Domain Users").
I'd be happy to answer any questions you might have about this.
why do messages on this bbs not show up right away?
I'm trying to set up the file-based JAAS sample described in the docs, but with my own beans, instead of the beans in the sample, and I'm using a standalone client, instead of a servlet.
I think I have everything set up, including putting the "client/auth.conf" into the client jar file.
Unfortunately, when my client tries to create the LoginContext, I get the following exception:
java.lang.SecurityException: no protocol: auth.conf
I know that the client is reading the auth.conf file, because before I copied the "client/auth.conf" file and set the "java.security.auth.login.config" property, I was getting a different exception, "Unable to locate a login configuration".
What could be going wrong here? Is there some way to get more information? Is there someplace where this is well-documented?
Just in case, I'll include the "auth.conf" file here:
// Put your login modules that work without jBoss here
// jBoss LoginModule
// Put your login modules that need jBoss here
If anyone is interested I've created a NTLoginModule.
The basis for the Module is a JNDILoginModule that does a lookup, cast, home.create() the remote object must be an instanceof AbstractLoginModule. The reason it's wrapped it to allow non-M$ machine to authenticated against a windows domain. A workstation or PDC running JNDIServer is necessary. Basically I have a very minimal jboss instance running on the PDC. The NTLoginModule can use the freetagish stuff. I created my own that invokes a set of perl scripts. It's a hack, but it allows me to add users to the domain and modify groups etc etc.