-
1. Re: JBoss and tagish NTSystemLogin
tcherel Jan 13, 2005 1:28 PM (in response to roberto)Evertyhing depends on how you configured the NTSystemLogin.
Without any coding, just by adding it as a JAAS login module in the login-config.xml, the authentication should work, but the mapping between the windows group and the roles are not done: JAAS does not define how to do that so each app server does it its own way.
For JBoss, you will have to write a JBossSX custom Login module wrapping the NTSystemLogin. Such module have to add a group to the subject principal list named "Roles". This group will list all the windows groups of the authenticated users.
It is fairly simple to do when you understand the mechanics.
Take a look at the http://www.jboss.org/wiki/Wiki.jsp?page=JBossSX, especially the HowTo. It provides samples on how you can do that.
Thomas -
2. Re: JBoss and tagish NTSystemLogin
roberto Jan 16, 2005 5:10 AM (in response to roberto)TY!
I do it and now all works fine.
I have implemented unauthenticatedidentity too -
3. Re: JBoss and tagish NTSystemLogin
tcherel Jan 16, 2005 1:22 PM (in response to roberto)
Glad I could help.
As tagish is also open source, if possible, you should submit your login module to the JBoss guys.
I have seen a few people throught he mailing list that were looking for such capabilities.
Thomas -
4. Re: JBoss and tagish NTSystemLogin
furbern Feb 1, 2005 8:54 AM (in response to roberto)I have written a very simple version of tagish NTSystemLogin to work with JBoss and meet my requirements. I am not sure where best to post this code so I'll paste it here.
package com.tagish.auth.win32;
import org.jboss.security.auth.spi.*;
import org.jboss.security.*;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.tagish.auth.Utils;
import java.util.*;
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.LoginException;
import java.security.acl.Group;
import java.security.Principal;
public class JBossNTSystemLogin extends AbstractServerLoginModule {
// Native object
protected NTSystem ntSystem;
protected String defaultDomain = null;
protected Log logit= LogFactory.getLog(this.getClass());
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
{
super.initialize(subject,callbackHandler,sharedState,options);
// Construct the native proxy
ntSystem = new NTSystem();
ntSystem.checkVersion();
// get the options
defaultDomain = (String) options.get("default-domain");
}
protected Principal getIdentity(){
return new SimplePrincipal(ntSystem.getName());
}
protected Group[] getRoleSets() throws LoginException{
Group[] roleSets = { new SimpleGroup( "Roles" ) };
// get NT group names
// make the group names upper case for future comparison
String[] groups = ntSystem.getGroupNames(false);
if (logit.isDebugEnabled())
logit.debug(new StringBuffer("Build roles group "));
for (int g = 0; groups != null && g < groups.length; g++) {
if (groups[g] != null) {
String upperRole = groups[g].toUpperCase();
roleSets[ 0 ].addMember( new SimplePrincipal(upperRole) );
if (logit.isDebugEnabled())
logit.debug(new StringBuffer(upperRole).append(" added"));
}
}
return roleSets;
}
public boolean login() throws LoginException
{
// username and password
String username;
char password[] = null;
String domain;
try {
// prompt for a username and password
if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");
Callback[] callbacks = new Callback[defaultDomain == null ? 3 : 2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
if (defaultDomain == null) {
callbacks[2] = new TextInputCallback("Domain: ");
}
try {
callbackHandler.handle(callbacks);
// Get username...
username = ((NameCallback) callbacks[0]).getName();
// ...password...
password = ((PasswordCallback) callbacks[1]).getPassword();
((PasswordCallback)callbacks[1]).clearPassword();
// ...and domain.
if (defaultDomain == null) {
domain = ((TextInputCallback) callbacks[2]).getText();
} else {
domain = defaultDomain;
}
if (domain != null && domain.length() == 0) {
domain = null;
}
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
} catch (UnsupportedCallbackException uce) {
throw new LoginException("Error: " + uce.getCallback().toString() +
" not available to garner authentication information from the user");
}
// Attempt to logon using the supplied credentials
ntSystem.logon(username, password, domain); // may throw
loginOk = true;
if (logit.isDebugEnabled())
logit.debug(new StringBuffer("Successful NT authentication for user ").append(
username).append(" on domain ").append(domain));
if (getUseFirstPass() == true) {
// Add the username and password to the shared state map
sharedState.put("javax.security.auth.login.name", username);
sharedState.put("javax.security.auth.login.password", password);
}
} finally {
Utils.smudge(password);
}
return super.login();
}
}
**********************************
The login-config.xml entries are:
<application-policy name = "NTLogin">
<login-module code = "com.tagish.auth.win32.JBossNTSystemLogin"
flag = "required">
<module-option name = "default-domain">yourntdomainname</module-option>
<module-option name = "password-stacking">useFirstPass</module-option>
</login-module>
</application-policy>
I hope this is of help to somebody.