3 Replies Latest reply on Aug 16, 2002 11:32 AM by Jon S Bratseth

    Decoupling client from SecurityAssociation

    Zak Umanoff Newbie

      Hi- I'm looking into configuring security between a java client application and a jboss server. I've been able to use a custom LoginModule from the client to authenticate the client user and establish a session (ie, use SecurityAssociation.setPrincipal()/setSubject() to have the user info sent to the server so it can be retrieved on the server).

      However, I don't like the fact that my ClientModule is coupled to a jboss class, in this case org.jboss.security.SecurityAssociation. Am I missing something? Perhaps there is a different way to establish a user session. Or perhaps people don't worry about the coupling since LoginModule's are essentially essentially decoupled from the system via the auth.conf configuration file.

      I'd be interested to hear what other people think of this.

      Thanks!

        • 1. Re: Decoupling client from SecurityAssociation
          Jon S Bratseth Newbie

          I guess you are. This is one way to do it without:

          1. Make a login configuration which tells JAAS to use
          org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
          which returns the configuration entry you want
          (tha class name above, the constant REQUIRED and no options)
          and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
          at startup.

          2. Create your own implementation of javax.security.auth.callback.CallbackHandler
          to return the user name and password from wherever you obtain it.

          3. Do
          new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();

          • 2. Re: Decoupling client from SecurityAssociation
            Jon S Bratseth Newbie

            I guess you are. This is one way to do it without:

            1. Make a login configuration which tells JAAS to use
            org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
            which returns the configuration entry you want
            (tha class name above, the constant REQUIRED and no options)
            and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
            at startup.

            2. Create your own implementation of javax.security.auth.callback.CallbackHandler
            to return the user name and password from wherever you obtain it.

            3. Do
            new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();

            • 3. Re: Decoupling client from SecurityAssociation
              Jon S Bratseth Newbie

              I guess you are. This is one way to do it without:

              1. Make a login configuration which tells JAAS to use
              org.jboss.security.ClientLoginModule (without referencing ther class. If you don't want to mess with java.policy, create a subclass of javax.security.auth.login.LoginConfiguration
              which returns the configuration entry you want
              (tha class name above, the constant REQUIRED and no options)
              and do a javax.security.auth.login.Configuration.setConfiguration(new MyConfiguration());
              at startup.

              2. Create your own implementation of javax.security.auth.callback.CallbackHandler
              to return the user name and password from wherever you obtain it.

              3. Do
              new javax.security.auth.login.LoginContext("whatever", new myCallbackHandler()).login();