1 Reply Latest reply on Sep 24, 2004 1:14 PM by Scott Stark

    JAAS ClientLoginModule + ServerLoginModule

    Carlos Gonzalez Cadenas Newbie

      Hi All,

      I'm trying to deploy in JBoss two ways to login for my application clients.

      *The first one, using a user and a hashed password (the client is responsible for hashing the cleartext before passing the credential to JAAS).

      *The second one, using a Certificate.

      In the server part, I have two ServerLoginModules that will perform the server authentication (against a DB, in the first case, and against a Validation Authority in the second case).

      It's clear that I will have to use the ClientLoginModule provided to bind the credentials (and handle the interaction with the user), but I can't see how, because the only credential types allowed for binding are an user and a password (and the ClientLoginModule complains with any other Callbacks different from NameCallback and PasswordCallback).

      I was reviewing the code of the ClientLoginModule and I see that there are some classes (SecurityAssociationActions and so on...) that bind the credentials to the implementation of the EJB remoting protocol.

      Is there any way for me to proceed??. I can't implement any other ClientLoginModule that binds any other types of credentials, because the access to the SecurityAssociationActions and so on are package protected.

      Any hints or ideas would be greatly appreciated.

      Thank you very much in advance


        • 1. Re: JAAS ClientLoginModule + ServerLoginModule
          Scott Stark Master

          You use the password-stacking="useFirstPass" option to the ClientLoginModule and place another login module ahead of it that validates the credentials as this srp example config shows:

          srp-client {
           // Example client auth.conf for using the SRPLoginModule
           org.jboss.security.srp.jaas.SRPLoginModule required
           org.jboss.security.ClientLoginModule required
           // Put your login modules that need jBoss here

          I probably should add a login module option to specify a non-password based Callback object to use to simplify the propagation of non-password based info.