7 Replies Latest reply on Oct 5, 2001 11:08 PM by Pranab Ghosh

    Where to store object from within a Login Module

    Thorsten Klusemann Newbie

      Hello together,

      we are using a LDAP-Server (Netscape) for authenticating and authorizing our users. Within the user entry in that LDAP-Server we store serialized Java objects, where Profile Information of that user is stored (authorizations etc).
      Now I have written an own LDAPLoginModule, that fits to our LDAP tree. I have the problem if I read the serialized object from the user during authentication in the Login Module, where can I store it within JBoss to make it accessible to my applications ?

        • 1. Nowhere
          Konstantin Newbie

          If you subclassed AbstractServerLoginModule,
          you do not have to store ths data.

          Your login module gets ( via callbacks ) username
          ( principal ) and password ( credential )

          login() method just says OK to this combinaion,
          and Group[] getRoleSets() returns assotiated roles.

          Jboss stores Principal & credential somwhere out of your scope.

          • 2. Re: Nowhere
            J. Wolfgang Kaltz Novice

            Yes, but that's just the username. I think the original question was, you access LDAP to retrieve all user information, including password. When you do the login stuff, the password gets verified.
            But now, how do you access the other user data which may come from LDAP, like user's preferredLanguage etc.

            Either, you can store an object somewhere during the login, but I don't see how ? Or, you have a later access to LDAP to get the other attributes, and this access is handled in an EJB. But this means I have to configure & handle my LDAP access at 2 different places : once in the auth.conf for JBossSX, and once in my application.
            It would be better if these 2 needs, password checking & user attributes retrieval could be handled in a single step, I think this is what the first poster meant.
            (Of course that might actually not be possible, because the password could be stored somewhere else or need to be accessed differently, with security, than the remaining attributes)

            Other opinions regarding integration of LDAP data & EJBs ?

            • 3. Re: Nowhere
              Konstantin Newbie

              IMHO - no way. You'll have to lookup this information
              later from LDAP.

              • 4. Re: Nowhere
                Thorsten Klusemann Newbie

                Yes you were right. I meant exactly this. I am in need to store user information other than username and password somewhere to access it later instead of doing a second LDAP-Connection and search.
                I am now thinking of storing that information somewhere in the JBoss namespace.

                Any other ideas?

                • 5. Re: Nowhere
                  J. Wolfgang Kaltz Novice

                  Well it's true that this need doesn't seem to fit the JAAS pattern. You authorize using one mechanism, perhaps even through a secure LDAP connection, so that password may be sent encrypted to LDAP for example.

                  And then, if authorization is OK, at a later time, you retrieve user information (other than password) from LDAP. For me, I wrote an EJBUserInfo which does this. The disadvantage is you have to go twice to LDAP and (worse), you have to configure your LDAP parameters in 2 different places ...

                  Storing the info in some static zone so that you avoid going to LDAP twice is probably not a good idea, in terms of architecture.

                  • 6. Re: Where to store object from within a Login Module
                    Scott Stark Master

                    The information can be store in the Subject.getPublicCredentials or Subject.getPrivateCredentials depending on their sensitivity, or in JNDI.

                    • 7. Re: Where to store object from within a Login Module
                      Pranab Ghosh Newbie

                      You could store the user related data from LDAP in a stateful session bean and store a reference to SFSB in the HTTP session.