4 Replies Latest reply on Feb 1, 2005 8:54 AM by furbern

    JBoss and tagish NTSystemLogin

    roberto roberto Novice

      I try to configure NTSystemLogin to check credential but i have a problem with roles.

      Authentication works fine but role authorization doesn't works.

      Tomcat reply me:

      message: Access to the requested resource has been denied
      description: Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

      I think that a role is mapped to a group in window environment..

      Someone have try this ?

      Thank You

        • 1. Re: JBoss and tagish NTSystemLogin
          Thomas Cherel Novice

          Evertyhing depends on how you configured the NTSystemLogin.
          Without any coding, just by adding it as a JAAS login module in the login-config.xml, the authentication should work, but the mapping between the windows group and the roles are not done: JAAS does not define how to do that so each app server does it its own way.

          For JBoss, you will have to write a JBossSX custom Login module wrapping the NTSystemLogin. Such module have to add a group to the subject principal list named "Roles". This group will list all the windows groups of the authenticated users.
          It is fairly simple to do when you understand the mechanics.

          Take a look at the http://www.jboss.org/wiki/Wiki.jsp?page=JBossSX, especially the HowTo. It provides samples on how you can do that.


          • 2. Re: JBoss and tagish NTSystemLogin
            roberto roberto Novice

            I do it and now all works fine.
            I have implemented unauthenticatedidentity too

            • 3. Re: JBoss and tagish NTSystemLogin
              Thomas Cherel Novice

              Glad I could help.
              As tagish is also open source, if possible, you should submit your login module to the JBoss guys.
              I have seen a few people throught he mailing list that were looking for such capabilities.


              • 4. Re: JBoss and tagish NTSystemLogin
                furbern Newbie

                I have written a very simple version of tagish NTSystemLogin to work with JBoss and meet my requirements. I am not sure where best to post this code so I'll paste it here.

                package com.tagish.auth.win32;

                import org.jboss.security.auth.spi.*;
                import org.jboss.security.*;
                import org.apache.commons.logging.Log;
                import org.apache.commons.logging.LogFactory;

                import com.tagish.auth.Utils;
                import java.util.*;
                import javax.security.auth.*;
                import javax.security.auth.callback.*;
                import javax.security.auth.login.LoginException;
                import java.security.acl.Group;

                import java.security.Principal;

                public class JBossNTSystemLogin extends AbstractServerLoginModule {
                // Native object
                protected NTSystem ntSystem;
                protected String defaultDomain = null;
                protected Log logit= LogFactory.getLog(this.getClass());
                public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                // Construct the native proxy
                ntSystem = new NTSystem();
                // get the options
                defaultDomain = (String) options.get("default-domain");


                protected Principal getIdentity(){
                return new SimplePrincipal(ntSystem.getName());

                protected Group[] getRoleSets() throws LoginException{
                Group[] roleSets = { new SimpleGroup( "Roles" ) };
                // get NT group names
                // make the group names upper case for future comparison
                String[] groups = ntSystem.getGroupNames(false);
                if (logit.isDebugEnabled())
                logit.debug(new StringBuffer("Build roles group "));
                for (int g = 0; groups != null && g < groups.length; g++) {
                if (groups[g] != null) {
                String upperRole = groups[g].toUpperCase();
                roleSets[ 0 ].addMember( new SimplePrincipal(upperRole) );
                if (logit.isDebugEnabled())
                logit.debug(new StringBuffer(upperRole).append(" added"));
                return roleSets;

                public boolean login() throws LoginException
                // username and password
                String username;
                char password[] = null;
                String domain;

                try {

                // prompt for a username and password
                if (callbackHandler == null)
                throw new LoginException("Error: no CallbackHandler available to garner authentication information from the user");

                Callback[] callbacks = new Callback[defaultDomain == null ? 3 : 2];
                callbacks[0] = new NameCallback("Username: ");
                callbacks[1] = new PasswordCallback("Password: ", false);
                if (defaultDomain == null) {
                callbacks[2] = new TextInputCallback("Domain: ");

                try {

                // Get username...
                username = ((NameCallback) callbacks[0]).getName();

                // ...password...
                password = ((PasswordCallback) callbacks[1]).getPassword();

                // ...and domain.
                if (defaultDomain == null) {
                domain = ((TextInputCallback) callbacks[2]).getText();
                } else {
                domain = defaultDomain;

                if (domain != null && domain.length() == 0) {
                domain = null;

                } catch (java.io.IOException ioe) {
                throw new LoginException(ioe.toString());
                } catch (UnsupportedCallbackException uce) {
                throw new LoginException("Error: " + uce.getCallback().toString() +
                " not available to garner authentication information from the user");

                // Attempt to logon using the supplied credentials

                ntSystem.logon(username, password, domain); // may throw
                loginOk = true;
                if (logit.isDebugEnabled())
                logit.debug(new StringBuffer("Successful NT authentication for user ").append(
                username).append(" on domain ").append(domain));
                if (getUseFirstPass() == true) {
                // Add the username and password to the shared state map
                sharedState.put("javax.security.auth.login.name", username);
                sharedState.put("javax.security.auth.login.password", password);

                } finally {

                return super.login();



                The login-config.xml entries are:
                <application-policy name = "NTLogin">

                <login-module code = "com.tagish.auth.win32.JBossNTSystemLogin"
                flag = "required">
                <module-option name = "default-domain">yourntdomainname</module-option>
                <module-option name = "password-stacking">useFirstPass</module-option>


                I hope this is of help to somebody.