> Hi All,
>
> I have a question about creating a new login module
> by combining 2 login modules. I have to use LDAP for
> authentication. The roles will be stored in
> database. So I have to use Database Roles query to
> retrieve the roles. Has anyone done something
> similar to this. Any ideas/suggestions are really
> appreciated
>
> Thanks
> Nanda


Hi,
did you get any replies - or have you suceeded? I'm getting to the same point and any help I can get would be great. I can't believe there isn't a STANDARD solution for this. Doesn't EVERYBODY want to do this (one userid/password specific application security). If you have a solution then by publishing it I'm sure you'll make a great contribution to world happiness!
Jim Brady

Instead of merging the DB and the LDAP Login Modules you may prefer to still keep the two login modules distinct. This would amongst other things make it more convenient for you to re-use either of the 2 Login Modules in different scenarios.

The JAAS specification allows you to associate 1 or more LoginModules with a given LoginModuleName ... stacked authentication. In a similar scenario, I needed to authenticate against an LDAP directory while getting the roles for each user from a database.

For this, I implemented both login modules, one for LDAP and one for the DB, registered in the {jboss321.home}/server/default/conf/login-config.xml file like so...

<application-policy name = "UserLogin">

<login-module code = "com.sw.security.auth.login.LDAPLoginModule"
flag = "required">
</login-module>
<login-module code = "com.sw.security.auth.login.DBLoginModule"
flag = "required">
</login-module>

</application-policy>

The LDAP Login Module is the first invoked by the LoginContext Object. In its login() method, the authentication against the LDAP directory is implemented. There may be no need to do anything in the login() method of the DB Login Module, but in the commit() methods which is where particulars are placed in the Subject by the Login Modules.

In the commit() method of the LDAP Login Module, such principals (like username etc) and credentials as necessary are put in the Subject.

In the commit() method of the DB Login Module however, extract the roles of the User from the database. In my case, I use a session bean (UserManager) talking to User and Role entities at the back to extract all roles for the user. I then load these roles as a Group in the Subject like so...


*******************************************
try {

/** add roles as a group **/
// initialize ejbs
UserManager um = ((UserManagerHome) EjbUtilities.getHome("portal/UserManager", UserManagerHome.class)).create();
Iterator rolesIterator = um.getUserRoles(um.getUserInfo(userName).getUserID()).iterator();

String roleName;
PortalGroup userRoles = new PortalGroup("Roles");
PortalLogger.debug("User principal added");

if (rolesIterator.hasNext()) {
while (rolesIterator.hasNext()) {
roleName = ((RoleInfo)rolesIterator.next()).getRoleName();
userRoles.addMember(new PortalPrincipal(roleName));
}

//add group to subject
if (!subject.getPrincipals().contains(userRoles))
subject.getPrincipals().add(userRoles);
}
PortalLogger.debug("User roles added");
} catch (Exception e) {
throw new LoginException(e.getMessage());
}
*******************************************

Of course nothing prevents u from combining both Modules, placing the code to get the roles in the commit() method of the LDAP Login Module. However, I prefer to keep them distinct for the reason stated above.

I hope you find this useful

Thanks
Onyekachi Izukanne