6 Replies Latest reply on Aug 11, 2003 4:08 PM by Sean Radford

    Custom Login

    Andy Newbie

      Just a question ... what is the rationale behind the seeming JBoss policy that any Custom LoginModule has to extend org.jboss.security.auth.spi.AbstractLoginModule ?

      The whole point of JAAS is to make security a portable option for people deploying across a range of J2EE servers, yet then JBoss insists that people break this by tying them into their own classes.

      Any plans for this to be removed in JBoss 4.0 ?

        • 1. Re: Custom Login
          Sean Radford Novice

          Do you mean org.jboss.security.auth.spi.AbstractServerLoginModule ?

          • 2. Re: Custom Login
            Andy Newbie

            Yes that is what I meant :-) Why should I *have to* extend that or one of its subclasses ? Why can't i just extend javax.security.auth.spi.LoginModule and stick to pure JAAS (that can be used in a different EJB container) rather than JBoss JAAS (that can't) ?

            • 3. Re: Custom Login
              Sean Radford Novice

              Who said that you 'have' to? You can just create your own class that implements LoginModule...

              • 4. Re: Custom Login
                Andy Newbie

                Well all documentation suggests this (the JAAS howto doc for starters), and many posts on this forum suggest this.

                I had already implemented my own LoginModule extending javax.security.auth.spi.LoginModule. I put it in a JAR and put it in $JBOSS_HOME/server/default/lib/. I then reference it in $JBOSS_HOME/server/default/conf/login-config.xml for a web application, as follows
                <application-policy name="MyDBRealm">

                <login-module code="mydomain.JAAS.DBLoginModule" flag="required" -->
                <module-option name="dsJndiName">java:/DefaultDS</module-option>
                <module-option name="principalsQuery">
                SELECT Password FROM User WHERE Username=?</module-option>
                <module-option name="rolesQuery">
                SELECT Role, 'Roles' FROM UserRole WHERE Username=?</module-option>
                </login-module>

                </application-policy>

                When I try to log in I get

                2003-08-08 06:07:06,828 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyDBRealm] Login failure
                javax.security.auth.login.LoginException: No LoginModules configured for MyDBRealm

                How do these LoginModule's get configured for use in JBoss ?

                If I swapped the login-module above for JBoss's DatabaseServerLoginModule it works - however I don't want to do that :-(

                • 5. Re: Custom Login
                  Andy Newbie

                  I can only interpret the lack of a response here as acceptance that I have to extend the JBoss jaas AbstractServerLoginModule - the comments in the source file for that module implies it also. It would be nice to have that confirmed or otherwise - surely someone has an example of *not* extending the JBoss base LoginModule and its use in JBoss ?

                  • 6. Re: Custom Login
                    Sean Radford Novice

                    Hmm... I don't quite see how not gettting a response during a weekend any acceptance of that at all - some of us get out and about at w/e's.

                    I suggest you debug your code a little... Is your login module getting instantiated and initialised for instance.