5 Replies Latest reply on May 24, 2002 2:37 AM by Niranjan Sathe

    Help on writing custom LoginModule

    Niranjan Sathe Newbie

      I have written my own LoginModule extending org.jboss.security.auth.spi.AbstractServerLoginModule and I provided the implementations for the following methods:
      protected Group[] getRoleSets()
      protected Principal getIdentity()
      public boolean login()
      public void initialize(....). I also wrote my own implementations of CallbackHandler, Principal and Group. Along with the LoginModule I bundled them into a jar and included the jar in the JBOSS_CLASSPATH in run_with_catalina.bat. The custom LoginModule was available to both the client & server. I changed the auth.conf for both the client and server side to pick up the custom LoginModule. The customer LoginModule has hardcoded username and password for authentication.
      The custom LoginModule is picked up by both the client and JBoss and the Initialize() and login() methods are called. But on the server-side the custom CallbackHandler.handle(.) method is not called.
      I am now confused about my approach to this. There appears to be something fundmentally wrong about what I am doing. Where should the actual authentication happen - on the client or server side? The custom LoginModule.login() method is being called on the both sides.
      Please help.
      Thank you.
      - Niranjan

        • 1. Re: Help on writing custom LoginModule
          J. Wolfgang Kaltz Novice

          The actual authentication should only happen on the server side (JBoss). So I guess it doesn't make sense to make your custom LoginModule available on the client side.

          On the client side, you should only use the org.jboss.security.ClientLoginModule

          • 2. Re: Help on writing custom LoginModule
            Peter O'Connor Newbie

            Niranjan,

            >>Where should the actual authentication happen - on the client or server side?
            The JBoss EJB container (server) checks authentication on every method call. So authentication needs to occur on the server side.

            On the client side use the org.jboss.security.ClientLoginModule. This module does not perform authentication, but instead prepares the user principal and credential for use by the JBoss server.

            I have also created custom LoginModules for use by the JBoss server. After you write them and test them you declare them in the server login-config.xml.

            >>But on the server-side the custom CallbackHandler.handle(.) method is not called.
            On the server side do not use any custom CallbackHandler, Principals or Groups with JAAS since the JBoss server uses its own mechanism for handling authentication. Just declare the LoginModules in login-config.xml.

            If you are getting specific errors, post them here for analysis. Also read the server log file, because more details are deposited there.

            BTW, congratulations on writing your own custom LoginModule -- it is not a trivial exercise.

            -- Peter

            • 3. Re: Help on writing custom LoginModule
              Niranjan Sathe Newbie

              Thanks to J. Wolfgang Kaltz and Peter O'Connor for help.

              I was unaware of the existence of the ClientLoginModule and was considering writing two separate LoginModules one for client-side and one for the server-side (doing the actual authentication)!
              Does JAAS work in a similar way with other application servers too?
              I will try out your solutions and post the outcome on the forum.

              Thanks again.
              Niranjan.

              • 4. Re: Help on writing custom LoginModule
                Peter O'Connor Newbie

                >>Does JAAS work in a similar way with other application servers too?

                I'm not sure.

                With JBossSx, we again have an example of how the JBoss developers take a perfectly good Sun Java package and twist it around to do something that was not intended. ;-)

                Congratulations, guys.

                • 5. Re: Help on writing custom LoginModule
                  Niranjan Sathe Newbie

                  It worked! I linked the ClientLoginModule to the security domain on the client side and for JBoss I linked the custom LoginModule to the security domain. As I was using JBoss 2.4.4 with Catalina, I had to set these in the corresponding auth.conf files. Besides this and indicating the security-domain in jboss.xml in the EJB jar, I did not do anything else.
                  I had to use the customer CallbckHandler when creating a LoginContext. I tired to pass Subject (with Principals and Credentials pre-loaded) to LoginContext as the second parameter but I kept getting a exception that no CallbackHandler was available (most likely thrown by ClientLoginModule?).
                  Regarding the similarity of this implementation with JAAS implementations in other app. servers, the JAAS specification does not talk of a scenario such as authentication across a EJB client and EJB server running in different JVMs. It has a single JVM focus even though it does talk about passing principal information to other app. servers. If every app. server's JAAS requires significant code change to adapt from other app. server's JAAS implementations, then we do not have a standard authentication mechanism with Java applications that are direct EJB clients.