3 Replies Latest reply on Oct 28, 2004 4:52 PM by Scott Stark

    Questions about Custom Login Modules

    Marco Antonio Villalobos, Jr. Newbie

      Hello JBoss Community,

      I'm in the middle of developing my own custom login
      module for JBoss, due to unique security environments
      within my organization.

      I posted earlier to Beginner's Corner, but I realize
      that this really isn't a beginner's question.

      I implemented an extension of AbstractServerLoginModule.

      I stepped through the code with my remote debugger.

      I noticed that the username and passwords are stored
      in the call back handler, not in the shared state map.

      Then I look at the JBoss code on sourceforge cvs.

      I'm afraid to use the UsernamePasswordLoginModule because
      it has Strings for username and password in one method.

      Is that secure?

      Then I browse through the other classes, and it there seems to
      be this notion of a shared state map that stores the username
      and password. What is the purpose of that construct?
      Isn't that a security hole? I am guessing that it is not, but I want
      to know why.

      Also, what's the purpose of isFirstPass?

      Thank you.


        • 1. Re: Questions about Custom Login Modules
          Marco Antonio Villalobos, Jr. Newbie


          After further investigation of the AbstractServerLoginModule
          class, the javadoc documentation for the class states that:

          You may also wish to override

          public boolean login() throws LoginException

          In which case the last line of your login() method should be

          return super.login();

          How can that possibly be an accurate statement since
          AbstractServerLoginModule.login() will return false unless
          the identity and credentials are stored in the sharedStatemap,
          and there also are no mechanisms to standardize the "firstPass"
          feature that places the information in the sharedStatemap.

          Are these accurate statements, or am I reading this all wrong?

          I am beginning to think that super.login() should be the first
          value in the login method, if called at all. Example:

          Why would we need the useFirstPass feature?

          What is it? What is the benefit?

          • 2. Re: Questions about Custom Login Modules
            Lea Thurman Newbie

            Hi Minmay.

            I too noticed the discrepency regarding super.login. I actually made this the first call in my login module (subclass of abstractServerLoginModule). I notice that the UsernamePasswordLogin module also calls it first.

            As far as my understyanding goes (which is not very far as we dont support this yet) the shared state map is for password stacking i.e when you have multiple modules and you want the username/password to be passed through. I guess the useFirstPass mean use the username and password from the first login module.

            I currently dont stack them so its not a problem for me.


            • 3. Re: Questions about Custom Login Modules
              Scott Stark Master

              This is the current javadoc for AbstractServerLoginModule so whatever your looking at is out of date.

               /** Looks for javax.security.auth.login.name and javax.security.auth.login.password
               values in the sharedState map if the useFirstPass option was true and returns
               true if they exist. If they do not or are null this method returns false.
               Note that subclasses that override the login method must set the loginOk
               ivar to true if the login succeeds in order for the commit phase to
               populate the Subject. This implementation sets loginOk to true if the
               login() method returns true, otherwise, it sets loginOk to false.