This will depend largely on what kind of JAAS login module you use with JBoss, so I'm not sure exactly what you're after here... are you just asking what is the default database structure which is used by the basic database login module, so that you can write EJBs to manage security database information based on this?
I have two components that I need to write (if both are possible):
- implements existing JBoss security interfaces and/or extend existing code such that my own security classes can talk to our OSUser modules. That way JBoss isn't directly talking to LDAP/JAAS/whatever. Instead it is talking to OSUser, which in turn is talking to said authentication source. This is the more important of the two needs.
- Write an OSUser module that talks to a generic JBoss security manager and leaves the implementation (LDAP/JASS/whatever) up to the JBoss security adapter. Essentially, this is the "reverse order" of above, and isn't as useful (to me at least). However, to offer a complete package, I'd like to do both.
I read the JBoss docs on security, and I couldn't gather that much. The docs seem pretty limited right now, does that eBook contain any extra info?
I'll be digging around with this stuff for the next couple hours. Hopefully I'll get somewhere with this... :)
Ah, OK, from your original post it sounded like you were just wanting to manage user and role data in a format that could be used by JBoss, but you actually want to write authentication and access control modules which can be plugged into the server and access your data. I get it now.
In the first case, it sounds like you want to write a custom login module which accesses your setup. You would be best to look at the existing example modules in JBossSX - AbstractServerLoginModule, UsernamePasswordLoginModule and DatabaseServerLoginModule. If you extend one of these then you should be OK.
I don't really see the point of your second task (the plugin in reverse). Is this so that you can plug JBoss security into another server implementation?
The book has an in-depth discussion of most aspects of JBoss - down to imlpementation code level, not just user level so it's is well worth getting. There is an explanation of how to write a customized security module in there too.
I did end up buying the book and found that extending UsernamePasswordLoginModule will do the trick.
As for "the reverse", basically I'm just wondering if there is a way, say from a JSP, to make a JNDI lookup to a jboss user manager and make calls such as "add new user X" or "make user Y part of role B". Orion has something like that, but I couldn't find anything for JBoss. Not really a big deal, in my opinion, but it couldn't hurt to cover all our bases. :)
> Orion has something like that, but I couldn't find
> anything for JBoss.
That's because there isn't anything like that for JBoss :).
User management is really outwith the responsibility of a J2EE server and the security information is very dependent on the operating environment.
OK, no biggie...
I actually got this bad boy almost working (had to spend quite a bit of time getting xdoclet to work with my build scripts so that jboss was supported).
I'm trying a web app as a test for my custom LoginModule now, but not only can I not get jboss to talk to my code (yes, I do have security-domain in my jboss-web.xml), I can't even get tomcat to prompt for a BASIC authentication box. I even tried not using my login module and instead java:/jaas/simple, but still no popup. What gives?
BTW: this is happening in JBoss 2.4.3 + Tomcat 4.0. I tried JBoss 2.4.4 + Tomcat 4.0.1, but my sample app isn't deploying correctly (EJBs aren't working). I also tried it JBoss 2.4.3 + Tomcat 3 but the JSPs wouldn't compile (couldn't find classes in the EJBs).
Basically, my app only seems to deploy correctly (and work for the most part) with JBoss 2.4.3 + Tomcat 4.0, except for the BASIC authentication. I saw some posts saying that BASIC auth is buggy with this distribution. Any tips?
I haven't tried any of the Catalina integration stuff so can't help you there.
It's virtually impossible to say, because you have a lot of stuff in there.
Did you get it all working fine with a simple client before you moved on to using a web application?
Thanks for following up. I actually got things working perfectly under JBoss 2.4.4 + Tomcat 4.0.1-beta. The only catch was that the crimson.jar included doesn't work with OSUser (yet) and so you need to grab a crimson.jar from an older version of JBoss (2.4.3 works great).
I highly recommend you check our project out. It is in working state for both Orion and JBoss, with Weblogic, JRun, and Websphere support coming very soon.
I do have a few issues with the our current OSUserLoginModule (extends UsernamePasswordLoginModule):
1) There seems to be some sort of caching mechanism going on in one of the jboss-jaas classes. Basically, when a user is added to a role in in OSUser, and then tries to access restricted content, he is let in correctly. But while jboss is still running and that user is then removed from the role, he can still access the content. The change doesn't come up until jboss is restarted. Is there a way to avoid this or provide callbacks to nofity the caching mechanism to get updated?
2) UsernamePasswordLoginModule requires the abstract class getPassword, but OSUser doesn't have getPassword interface (it does temporarily). I'd like to see in the future an Abstract class that provides an abstract authenticate(String username, String password) method instead.
If the caching is due to one of the parent classes, could you provide an imeplementation that didn't cache?
Oh, and if you want to check out the early version of OSUser, get it from CVS at www.opensymphony.com or www.sf.net/projects/opensymphony. Besides crimson.jar, to get this to work with JBoss you need to add an entry to auth.conf for the osuser security-domain that uses the ProxyLoginModule and uses moduleName=com.opensyphony.module.user.provider.jboss.OSUserLoginModule
> I do have a few issues with the our current
> OSUserLoginModule (extends
> 1) There seems to be some sort of caching mechanism
> going on in one of the jboss-jaas classes. Basically,
> when a user is added to a role in in OSUser, and then
> tries to access restricted content, he is let in
> correctly. But while jboss is still running and that
> user is then removed from the role, he can still
> access the content. The change doesn't come up until
> jboss is restarted. Is there a way to avoid this or
> provide callbacks to nofity the caching mechanism to
> get updated?
You are correct, it does cache the roles associated with a user. JBoss uses a timed cache implementation in which it caches the roles for a particular user for a default time of 30 mins after it is created. If the cache is hit after the 30 mins, it will ask the LoginModule for the roles again, and cache them again, etc. You can't control the time externally, however you can change the cache policy that JBoss uses.
The JaasSecurityManager can be configured to use a different cache policy. The only requirement is that the class implements the org.jboss.util.CachePolicy interface.
You do this by configuring the JaasSecurityManager MBean in jboss.jcml like so :
<!-- JAAS security manager and realm mapping -->
The AuthenticationCacheJndiName specifies the jndi name of a CachePolicy instance to use. The only way to put a cache policy in JNDI is through your own MBean before the JaasSecurityManager MBean is deployed.
By default, JBoss uses the org.jboss.util.TimedCachePolicy class which has the default times hard-coded into it, so what I have done is created an MBean that customises the cache time and places it into JNDI.
Hope that helps,
Are you able/willing to share your MBean and CachePolicy code with us? :)