5 Replies Latest reply on Nov 19, 2002 7:29 AM by sheckler

    Chaining of Login Modules fails

    sheckler
    sheckler Oct 9, 2002 12:25 PM

      Hi all.
      I have problems combining 2 login modules. First I wrote 2 custom server login modules, which individually work fine. But when I combine them both with the option flag "sufficient" (if the first succeeds, control should go back to the client, if it failes, the second should be involved). In fact if one of them fails, I get an authentification exception.

      Did anyone struggle with the same problem and find a solution or explanation for it?

      Thanks

      Stefan Heckler

      • 2855 Views
      • Tags:
        • 1. Re: Chaining of Login Modules fails
          nicknewman Oct 10, 2002 4:47 PM (in response to sheckler)

          I've checked, and JBoss appears to work fine. I did see something that looked very like your problem, but the fault was mine!

          Check your login-config carefully to make sure you only have ONE set of tags around TWO <login-module> tags.

          If you have accidentally put tags around EACH <login-config>, then JBoss silently ignores all but the first login-config, which would look to you like the problem you have.

            • Actions
          • 2. Re: Chaining of Login Modules fails
            nicknewman Oct 10, 2002 4:54 PM (in response to sheckler)

            I've checked, and JBoss appears to work fine. I did see something that looked very like your problem, but the fault was mine!

            Check your login-config carefully to make sure you only have ONE set of tags around TWO <login-module> tags.

            If you have accidentally put tags around EACH <login-config>, then JBoss silently ignores all but the first login-config, which would look to you like the problem you have.

              • Actions
            • 3. Re: Chaining of Login Modules fails
              sheckler
              sheckler Oct 11, 2002 11:37 AM (in response to sheckler)

              Hi,
              thanks for Your answer. I checked Your hint. This is my login-config:

              <application-policy name="otherDB_PSI_Auth">

              <login-module
              code="cmd.security.auth.spi.PSIServerLoginModule" flag="sufficient">
              <module-option name="debug">true</module-option>
              <module-option name="dsJndiName">java:/OracleAuthenticationDS</module-option>
              </login-module>
              <login-module
              code="cmd.security.auth.spi.PSIServerLSLoginModule" flag="sufficient">
              <module-option name="debug">true</module-option>
              </login-module>

              </application-policy>


              So I think it is correct. While authenticating both modules are always asked and if one of them failes, a security exception iis thrown. I tryied many combinations of flags, but they seem to have no influence on the behavior. There must be some other problem. I am using JBoss 3.0.0 and I tryied 3.0.3 with no change.

              Stefan Heckler

                • Actions
              • 4. Re: Chaining of Login Modules fails
                linw88
                linw88 Oct 25, 2002 10:47 PM (in response to sheckler)

                Not sure if you fixed this problem yet. Jboss3.0.0 has a bug. JBoss3.0.3 fixed it. We have chained lgoin-modules in 3.0.3, they work fine. If you have to stick with 3.0.0, you will have to change LoginModuleControlFlag's toString method to

                public String toString()
                {
                return controlFlag;
                }

                  • Actions
                • 5. Re: Chaining of Login Modules fails
                  sheckler
                  sheckler Nov 19, 2002 7:29 AM (in response to sheckler)

                  Thanks for that helpful hint, but I did not really understand, where to override the toString method (I am bound to JBoss 3.0.0).

                  Stefan (sheckler@psi.de)

                    • Actions