4 Replies Latest reply on Apr 11, 2002 11:10 AM by J. Wolfgang Kaltz

    Role to UNIX-accounts mapping

    Jürgen Krannich Newbie

      Hello out there,
      I read almost all posts in this forum but did't get a hint on how to deal whith the following scenario (which should be a quite common one). I'm running JBOSS in a UNIX-environment and need to map the roles to UNIX-accounts.
      An intranet-user logs in to a JSP and provides his credentials to the web-container (UNIX-username/password). Of course this transmissions has to be secured because we are handling with sensitive passwords of the operational environment. After this initial 'client-side-login' (which of course is no real authentication because it happens somewhere outside our server) the JSP calls some EJB's whithin JBOSS to do the work. What I need is a mechanism to say that UNIX-user 'root' can do any calls on any EJB whereas UNIX-user 'guest' should only be allowed to call read-methods on some special Beans. So the 'server-side-LoginModule' should get the username/password from the web-container and authenticate the user against a UNIX-passwd-file. If authentication is successful, JBOSS should do only those method-calls that are allowed for this special UNIX-user/group. Does anybody know if this is possible whith JBOSS? Maybe this is a very stupid question but I really need your help to handle this. Any hint would be great.

        • 1. Re: Role to UNIX-accounts mapping
          J. Wolfgang Kaltz Novice

          Actually, I don't think this is a common scenario - web users are usually not Unix users on your application server ?
          But anyway, JBoss can do anything on your server a Java application can do - no more, no less. Meaning, if JBoss is not run with root privileges (and it shouldn't run as root in a production environment), it will have no way of reading the system's password file.

          By the way, if I were the system administrator of your system, I would refuse (or at least be very skeptical) about any web-application where the root password of the server is used. Have you considered storing your users in an LDAP instead? (www.openldap.org :) )

          • 2. Re: Role to UNIX-accounts mapping
            Jürgen Krannich Newbie

            Of course you are right in that web users are usually not UNIX-users of an application server. But this is only true as long as you are developing an internet-application. What I'm trying to develop is an intranet-application, so all users of our intranet-web-application will be those of our UNIX-environment. Users from outside our intranet should be mapped to a guest-account.

            The only thing I'd like to have is a single-sign-on, meaning that our users do not have to remember a second username/password to use this application (most of them are swamped with only one login ;-)). Thats why I need a central store used by UNIX as well as by the application server to authenticate. We currently use NIS (not NIS+ , not passwd) so we can access the users password without running as root. This is not very secure - I know - but it's not my choice.

            By the way, what I said about UNIX-user 'root' had only to be taken as an example (a very poor one, I admit). In production environment I would like to have a UNIX-group 'appadmin' to do the application administration stuff.

            So after all I still have the need to map roles to UNIX-groups and I have not idea how to do this.

            • 3. Re: Role to UNIX-accounts mapping
              J. Wolfgang Kaltz Novice

              > So after all I still have the need to map roles to
              > UNIX-groups and I have not idea how to do this.

              Actually, I think you have a more fundamental problem to solve before considering role mappings : you have a Java program running on your server, preferably under non-root privileges, needing to verify a username/password on the machine (on in a NIS service somewhere).

              Group belongings could be read by reading /etc/passwd and /etc/group resp. their nis counterparts, but verifying if a password is valid is more difficult since the password file (shadow or whatever) should not be world-readable.
              Of course you can always do a first version where your Java program (or JBoss server) runs as root, then you should be able to read all necessary information in the system files while in your LoginModule.
              Overwrite org.jboss.security.auth.spi.UsernamePasswordLoginModule
              this gives you a place where you can write your password validation and role mappings, for instance by reading them from /etc/passwd et al

              • 4. Re: Role to UNIX-accounts mapping
                J. Wolfgang Kaltz Novice

                > Overwrite
                > org.jboss.security.auth.spi.UsernamePasswordLoginModul

                Oops, I meant to say of course, extend that class, creating a new login module called UnixLoginModule for instance, and use that module in your auth.conf