5 Replies Latest reply on Nov 19, 2002 7:29 AM by Stefan Heckler

    Chaining of Login Modules fails

    Stefan Heckler Novice

      Hi all.
      I have problems combining 2 login modules. First I wrote 2 custom server login modules, which individually work fine. But when I combine them both with the option flag "sufficient" (if the first succeeds, control should go back to the client, if it failes, the second should be involved). In fact if one of them fails, I get an authentification exception.

      Did anyone struggle with the same problem and find a solution or explanation for it?

      Thanks

      Stefan Heckler

        • 1. Re: Chaining of Login Modules fails
          Nick Newman Newbie

          I've checked, and JBoss appears to work fine. I did see something that looked very like your problem, but the fault was mine!

          Check your login-config carefully to make sure you only have ONE set of tags around TWO <login-module> tags.

          If you have accidentally put tags around EACH <login-config>, then JBoss silently ignores all but the first login-config, which would look to you like the problem you have.

          • 2. Re: Chaining of Login Modules fails
            Nick Newman Newbie

            I've checked, and JBoss appears to work fine. I did see something that looked very like your problem, but the fault was mine!

            Check your login-config carefully to make sure you only have ONE set of tags around TWO <login-module> tags.

            If you have accidentally put tags around EACH <login-config>, then JBoss silently ignores all but the first login-config, which would look to you like the problem you have.

            • 3. Re: Chaining of Login Modules fails
              Stefan Heckler Novice

              Hi,
              thanks for Your answer. I checked Your hint. This is my login-config:

              <application-policy name="otherDB_PSI_Auth">

              <login-module
              code="cmd.security.auth.spi.PSIServerLoginModule" flag="sufficient">
              <module-option name="debug">true</module-option>
              <module-option name="dsJndiName">java:/OracleAuthenticationDS</module-option>
              </login-module>
              <login-module
              code="cmd.security.auth.spi.PSIServerLSLoginModule" flag="sufficient">
              <module-option name="debug">true</module-option>
              </login-module>

              </application-policy>


              So I think it is correct. While authenticating both modules are always asked and if one of them failes, a security exception iis thrown. I tryied many combinations of flags, but they seem to have no influence on the behavior. There must be some other problem. I am using JBoss 3.0.0 and I tryied 3.0.3 with no change.

              Stefan Heckler

              • 4. Re: Chaining of Login Modules fails
                lin Newbie

                Not sure if you fixed this problem yet. Jboss3.0.0 has a bug. JBoss3.0.3 fixed it. We have chained lgoin-modules in 3.0.3, they work fine. If you have to stick with 3.0.0, you will have to change LoginModuleControlFlag's toString method to

                public String toString()
                {
                return controlFlag;
                }

                • 5. Re: Chaining of Login Modules fails
                  Stefan Heckler Novice

                  Thanks for that helpful hint, but I did not really understand, where to override the toString method (I am bound to JBoss 3.0.0).

                  Stefan (sheckler@psi.de)