0 Replies Latest reply on Mar 4, 2004 12:55 PM by Chris Buckley

    LDAP Login Module (Keberos) Help

    Chris Buckley Newbie

      I'm flat out stuck. I can get the DatabaseServerLoginModule to work but, a Ldap Login Module is getting me. I have tried a number of things and it's just not working for me. Can someone shed some light on this subject for me. Here is what I am trying to do, I want a LoginModule just like the DatabaseServerLoginModule or the UsersRolesLoginModule, however I want to authenticate using my Domain Controller. I have written java code that can stand alone and perform this as well as a session bean that can perform this authentication, but I want Jboss/tomcat to do it to protect my web app. I have tried making a Login Module like such:

      package intuinet.security.auth.spi;

      import intuinet.callback.UpstreamCallbackHandler;

      import java.security.acl.Group;
      import java.util.HashMap;
      import java.util.Iterator;
      import java.util.Map;

      import javax.security.auth.Subject;
      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;

      import org.jboss.security.SimpleGroup;
      import org.jboss.security.SimplePrincipal;
      import org.jboss.security.auth.spi.UsernamePasswordLoginModule;

      * @author cbuckley
      public class Kbr5ServerLoginModule extends UsernamePasswordLoginModule {

      private String realm;
      private String kdc;

      protected String getUsersPassword() throws LoginException {

      return getUsersPassword();//Does this get handed off? Or is this my responsibility to obtain this? If so how do I do it with LDAP I can't query for a password? }

      protected Group[] getRoleSets() throws LoginException {

      HashMap setsMap = new HashMap();
      String groupName = "Roles";//Role Group
      String name = "Echo";//Role
      Group group = new SimpleGroup(groupName);
      group.addMember(new SimplePrincipal(name));
      Group[] roles = new Group[1];
      roles[0] = group;
      return roles;

      public void initialize(
      Subject subject,
      CallbackHandler callbackHandler,
      Map sharedState,
      Map configOptions) {

      super.initialize(subject, callbackHandler, sharedState, configOptions);
      realm = (String) configOptions.get("kbr5Realm");
      kdc = (String) configOptions.get("kbr5Kdc");
      //Setting system variables....
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm",realm );
      p.setProperty("java.security.krb5.kdc", kdc);


      public boolean login() throws LoginException {

      LoginContext lc = null;
      boolean valid = false;
      UpstreamCallbackHandler callback = new UpstreamCallbackHandler(getUsername(), getUsersPassword());
      try {
      lc = new LoginContext("domain-contoller", callback);
      } catch (LoginException le) {
      System.err.println("Cannot create LoginContext. "
      + le.getMessage());
      } catch (SecurityException se) {
      System.err.println("Cannot create LoginContext. Security Exception"
      + se.getMessage());

      try {
      // attempt authentication
      valid = true;
      //Next we would want to associate roles to the Subject.
      Iterator itr = lc.getSubject().getPrincipals().iterator();
      System.err.println("Principal "+itr.next().toString());
      } catch (LoginException le) {
      System.err.println("Authentication failed:");
      System.err.println(" " + le.getMessage());


      return valid;


      and then including the following application-policies in my login-config.xml

      <application-policy name = "domain-contoller">

      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
      flag = "required" />


      <application-policy name = "upstream">

      <login-module code="intuinet.security.auth.spi.Krb5ServerLoginModule"
      flag = "required" />
      <module-option name = "kbr5Realm">upstream.cutthroatcom.com</module-option>
      <module-option name = "kbr5Kdc">madison.upstream.cutthroatcom.com</module-option>


      the thought here was that I would implement my own login() method and would actually use the "domain-controller" policy to require com.sun.security.auth.module.Krb5LoginModule and I would use this in my LoginContext, well it doesn't work and furthermore I can't debug because nothing will print out. I don't get it. Oh yeah one more thing right now I have the code packaged in a jar with a ejb: is this bad? shoud I jar the "LoginModule" by itself and put it in the lib directory?

      thanks for any help on this one.