2 Replies Latest reply on Jun 18, 2003 8:54 AM by Steven

    LoginModules requiring Application classpath access

    Steven Newbie

      Hi all,

      I've got an application for which I've written a Custom LoginModule. Everything is configured correctly with regards security domains etc (both my web and ejb layers use the same domain). However, in my LoginModule's login() method I want to access a class which resides within my application (a UserManager class from the OpenSymphony project) which I will use to authenicate my user.

      To access this class the LoginModule must reside somewhere within my ear deployment file, if it resides in here, a LoginContext created in my application can find the module correctly, however JBoss's security interceptors (for the ejb layer for example) results in a ClassNotFoundException from JBoss's classloader when trying to initialise the LoginModule class.

      I've tried the ProxyLoginModule, however this still cannot find the class (unless it's somewhere else such as my server's lib directory, which means that it can't access the UserManager class I want out of my application).

      Is there anyway of adding a path to a jar inside the ear as a classpath mbean for the server? If this isn't possible I'm going to have to resort to using JDBC from my LoginModule to authenicate users, which is a pain considering the authenication code is already written in my UserManager providers...

      Any thoughts would be appreciated!

      Thanks,

      Steven

        • 1. Re: LoginModules requiring Application classpath access
          Juha Lindfors Master

          How are you trying to instantiate your class? As long as you make sure you're using UCL you should be able to find it (i.e. DO NOT do Class.forName())

          • 2. Re: LoginModules requiring Application classpath access
            Steven Newbie

            The login module class could be succesfully loaded from my LoginContext within my web layer, however, any call to an ejb would be caught by the org.jboss.ejb.plugins.SecurityInterceptor, which calls JaasSecurityManager in the same package which tries to authenticate the user in the ejb security domain (it creates a LoginContext and attempts a login). If the login module used in this domain resides within my ear (as it did), the classloader can't find it.

            I didn't find a solution to this and restorted to extending the DatabaseServerLoginModule for the ejb security domain.

            On a side note I shouldn't have tried to use the same security domain for both the web and ejb layers. Rather the web layer should just use the ClientLoginModule to bind the username and credential to the SecurityAssoication allowing ejb method invocations to be made with a non null principal and role set.