4 Replies Latest reply on Feb 25, 2002 10:00 AM by Terry Ray

    Is SecurityAssociation required (even for custom JAAS module

    Terry Ray Newbie

      I've previously been extending some of the classes provided by JBoss (ClientLoginModule, AbstractServerLoginModule, UsernamePasswordLoginModule) to implement a custom JAAS module. Now, I've got to support some functionality beyond what SimplePrincipal is providing, so I'm looking at writing my own custom JAAS module from scratch. I get the impression that the org.jboss.security.SecurityAssociation class is central to the authentication process and not something I'll be able to avoid using, even for my custom module. Is this assumption correct? Thanks.

      Terry

        • 1. Re: Is SecurityAssociation required (even for custom JAAS mo
          Luke Taylor Novice

          Hi,

          Neither AbstractServerLoginModule nor UsernamePasswordLoginModule use SecurityAssociation. What makes you think you would have to use it in your login module?

          Luke.

          • 2. Re: Is SecurityAssociation required (even for custom JAAS mo
            Terry Ray Newbie

            I was looking at how the SecurityAssociationHandler is being used in the JaasSecurityManager class. The JaasSecurityManager class contains an instance of the SecurityAssociationHandler. I may be missing something here, but when the authenticate method of JaasSecurityManager is called, it appears to always call the defaultLogin method which creates the LoginContext using the SecurityAssociationHandler instance (which only supports username and password callbacks). I can't see any way to make the JaasSecurityManager use a different callback handler (but as I said before, maybe I'm missing something). Also, I should mention, the 3.0 source I'm looking at is probably at least a month old.

            However, I've figured out that I don't really need to use JaasSecurityManager. The answer is to write my own SecurityManager class. I couldn't just extend JaasSecurityManager because the methods I needed to override are private, so I just duplicated it and changed it so that I could use my own callback handler. This appears to have worked except now I'm running into a different issue with TimedCachePolicy but that's another post....

            Thanks for the inquiry. I hope that by looking at the JaasSecurityManager class, you'll see why I think you're stuck with SecurityAssociationHandler (unless you implement your own SecurityManager). Again, I apologize if I've misunderstood something here. Thanks.

            Terry

            > Hi,
            >
            > Neither AbstractServerLoginModule nor
            > UsernamePasswordLoginModule use SecurityAssociation.
            > What makes you think you would have to use it in your
            > login module?
            >
            > Luke.

            • 3. Re: Is SecurityAssociation required (even for custom JAAS mo
              Luke Taylor Novice

              I think it should still be possible to use the SecurityAssociationHandler with your custom login principal/credential information.

              It can also handle a callback of type SecurityAssociationCallback. If this is used, the handler doesn't attempt to interpret the principal and credential as a name and password. They will be passed directly to your login module.

              This functionality is used in the server side SRP login module, so you can look at the login code there.

              Luke.

              • 4. Re: Is SecurityAssociation required (even for custom JAAS mo
                Terry Ray Newbie

                Ah! Thanks for the tip Luke. I hadn't thought of using the SecurityAssociationCallback. I was able to use it to retrieve my custom Principal in the login module. This will allow me to use the JaasSecurityManager and still propagate my custom Principal. Thanks again.

                Terry