2 Replies Latest reply on Apr 29, 2004 9:44 AM by Scott Stark

    chained login modules

    alexkre Newbie

      Hi All,

      I have a problem with chaining login modules. It looks like only the first one is ever gets invoked. Is there a bug in jboss or I'm doing something wrong?
      Here is my login-config.xml:

      <application-policy name = "app-security">

      <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
      </login-module>

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "password-stacking">useFirstPass</module-option>
      <module-option name = "dsJndiName">java:/mydb</module-option>
      <module-option name = "principalsQuery">select ....</module-option>
      <module-option name = "rolesQuery">select .....
      </module-option>
      </login-module>

      <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
      <module-option name = "password-stacking">useFirstPass</module-option>
      <module-option name = "allowEmptyPasswords">false</module-option>
      <module-option name = "java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name = "java.naming.security.authentication">simple</module-option>
      <module-option name = "java.naming.provider.url">ldap://localhost:389</module-option>
      <module-option name = "principalDNPrefix">cn=</module-option>
      <module-option name = "principalDNSuffix">,ou=org_unit,o=org</module-option>
      </login-module>

      I'm using JBoss 3.2.2

      Thanks,
      Alex

        • 1. Re: chained login modules
          alexkre Newbie

          I have solved this problem by removing "password-stacking" option from a login modules. I still don't understand why it did not work with it, if JAAS spec says:
          ---
          use_first_pass - If true, the first LoginModule in the stack saves the password entered, and subsequent LoginModules also try to use it. LoginModules do not prompt for a new password if authentication fails (authentication simply fails).
          ---

          In my case only the first login module, after ClientLoginModule, was ever invoked using this option. So it looks like this option breaks the chain of login modules.

          Thanks,
          Alex

          • 2. Re: chained login modules
            Scott Stark Master

            Its upto the login modules to decide whether or not password stacking implies that all login modules perform authentication. The JBoss login modules assume that password stacking implies that the first login module obtains and validates the password, subsequent login modules only use the credentials if needed to obtain roles. Submit a patch that allows chained login modules to validate the shared credentials.