5 Replies Latest reply on Apr 18, 2002 3:57 AM by Martin Stepanek

    How does a standalone client pass the CallbackHandler to the

    Martin Stepanek Newbie

      Hi all,

      I'm new to JAAS and JBossSX and, no matter how I try, I can't understand the basic principle of communication between standalone client and JBoss's JaasSecurityManager...

      Let's assume, I get the userid and password on the client side somehow. Further, I have configured some LoginModules, which perform the authentication on the server side. To authenticate the user, the LoginModule calls the CallbackHandler to get the userid and password, which it then can verify.

      What I don't understand is: how can the client pass the CallbackHandler populated with userid and password to the JaasSecurityManager, and so to the server LoginModule? Or what another way is to hand over the userid and the password to the LoginModules on the server?

      Please, bear in mind, that the client is standalone, doesn't run on the JBoss... Please, post some, possibly brief, answer...

      Thank you very much
      Martin

        • 1. Re: How does a standalone client pass the CallbackHandler to
          Fredrik Bertilsson Newbie

          The client and server have different login modules. The client should use the loginmodule org.jboss.security.ClientLoginModule. This module does nothing else but stores (in something called SecurityAssociations) the username and password for later use. No actual validation is done when you call .login() on the client.

          When the client calls on a method on a ejb the user name and password (SecurityAssociations) is by some magic bundled with the client call. The username and password are on the server side collected from the SecurityAssociations and put into an array of Callbacks which are sent to your specified LoginModule on the server side.

          Observe that you should use one configuration file on the client side and another on the server side.

          /Fredrik Bertilsson

          • 2. Re: How does a standalone client pass the CallbackHandler to
            Martin Stepanek Newbie

            Thank you, Fredrik. Now it works well. Although I still don't quite understand the "magic" behind it. But, fortunatelly, I don't need to :o)

            Martin

            • 3. Re: How does a standalone client pass the CallbackHandler to
              Honda Civic Newbie

              What do the files client/auth.conf and conf/catalina/auth.conf look like? Any example of them would be nice.

              When running a client, how can you tell whether the client is looking into the file client/auth.conf?

              I have added

              client-login
              {
              org.jboss.security.ClientLoginModule required;
              };

              to my client/auth.conf and nothing happens. Do I need to package the client/auth.conf into the ear file?

              Thanks for any help.


              • 4. Re: How does a standalone client pass the CallbackHandler to
                Martin Stepanek Newbie

                You should probably do something like that (it works for me):

                1) In %JAVA_HOME%/jre/lib/security/java.security you have to configure the JAAS:

                login.config.url.1=file:somepath/jaas.config

                2) In the jaas.config file then configure the ClientLoginModule:

                client-login {
                org.jboss.security.ClientLoginModule required;
                };

                3) Implement a CallBackHandler class:

                 static class AppCallbackHandler implements CallbackHandler {
                 private String username;
                 private char[] password;
                
                 public AppCallbackHandler(String username, char[] password) {
                 this.username = username;
                 this.password = password;
                 }
                 public void handle(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException {
                 for (int i = 0; i < callbacks.length; i++) {
                 if (callbacks instanceof NameCallback) {
                 NameCallback nc = (NameCallback)callbacks;
                 nc.setName(username);
                 }
                 else if (callbacks instanceof PasswordCallback) {
                 PasswordCallback pc = (PasswordCallback)callbacks;
                 pc.setPassword(password);
                 } else {
                 throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");
                 }
                 }
                 }
                 }
                


                4) ...and in your servlet, when the user logs in via a web form, create new AppCallbackHandler object, fill it with username and password, create new LoginContext with this callback handler and try to login (this time is no real authentication performed, it is performed not until the call to the appserver, on the appserver with its own LoginModule):

                 try {
                 AppCallbackHandler handler = new AppCallbackHandler(username, password);
                 LoginContext lc = new LoginContext("foo", handler);
                 lc.login();
                 } catch (LoginException le) { //but here should arise really no LoginException, because by then
                 //no real authentication is performed
                 System.out.println("Login failed.");
                 le.printStackTrace();
                 }
                


                5) Remember the username and password on the webserver as session variables and if it's necessary, login again.

                This is of course only the clients part, then you have to configure some LoginModule on the JBoss, but it's another story.

                Hope this helps you.

                Martin



                • 5. Re: How does a standalone client pass the CallbackHandler to
                  Martin Stepanek Newbie

                  Sorry, at the 4) there should have been:

                  LoginContext lc = new LoginContext("client-login", handler);
                  

                  instead of
                  LoginContext lc = new LoginContext("foo", handler);