12 Replies Latest reply on Nov 16, 2005 6:46 AM by Ashwin Kumar Karkala

    Custom Login Module

    Krishnaswamy.V Newbie

      Hi
      I am trying to port my application from weblogic to JBOSS4.0.2.
      We have implemented JAAS way of authentication in weblogic flavour of my application.
      actually in my server side authentication does some appication specific logic like not locking a default user, and throwing custome exception message if the User is locked and so on.

      what should i do to have the same sort of client and servr side login module in JBOSS4.0.2?

      your help in this will be greatly appreciated.

      Thanks in advance
      Krishnaswamy.V

        • 1. Re: Custom Login Module
          Thomas Cherel Novice

          You also need to write a JBoss custom JAAS login module.
          See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=46370

          Thomas

          • 2. Re: Custom Login Module
            Krishnaswamy.V Newbie

            My problem is i am trying to find some thing similar to weblogic way of authentication (by calling weblogic api class Authenticate.authenticate())
            so if i get step by step procedure that would be nice

            • 3. Re: Custom Login Module
              Thomas Cherel Novice


              Authenticate.authenticate() is weblogic specific and you will not find an equivalent in JBoss.
              But they boh support JAAS, so some aspects will be similar.
              For example, you can create a JAAS login module that will check if the user is locked or not and just abort the authentication process if locked or let it go through if user is not locked.
              Letting the authentication process going through means that other configured JAAS login modules can then be invoked to perform the rest of the authentication (for example authenticate against LDAP using the JBoss LDAP login module).
              All this is standard JAAS behavior and documentation can be found in the standard JDK doc.
              The JBoss specific documentation (pointer I sent) will indicate how to integrate your custom JAAS login module in JBoss.

              Thomas

              • 4. Re: Custom Login Module
                Krishnaswamy.V Newbie

                Hi Thomas thanks for your reply
                further I need some clarification in terms of i want to write custom login module both server and client side how should i do?

                • 5. Re: Custom Login Module
                  Thomas Cherel Novice


                  From a pure JAAS point of view, client or server JAAS login modules does not make any differences.
                  On both side you have one or more JAAS module configured (stack of JAAS modules).
                  The differences when used with JBoss are as follow:

                  1) The JBoss client JAAS login module (ClientLoginModule) must be part of your client side JAAS login module stack (unless you write a replacement for it as well, but then you will need to take a close look at JBoss sources).

                  2) Server JAAS login modules are usually used to also do custom user/role associations. In such case your JAAS login module needs also to take care of these associations and this is done in a JBoss epcific fashion (JAAS does not define how to associate roles to users).

                  3) Client side JAAS configuration is usually done the "standard" JAAS way (an auth.conf file provided via the java.security.auth.login.config system property), while the server side JAAS configuration is usually done via the conf/login-config.xml or deployed as part of your J2EE application (see DynamicLoginConfig in the wiki pages: http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX).

                  Thomas

                  • 6. Re: Custom Login Module
                    Krishnaswamy.V Newbie

                    If I subclass AbstractServerLoginModule and write my logic in (Overriding the super's)login method i can acheive the task rite?

                    • 7. Re: Custom Login Module
                      Krishnaswamy.V Newbie

                      sorry !!
                      i have to override
                      login()
                      getRoleSets()
                      and getIdentity()

                      rite?

                      • 8. Re: Custom Login Module
                        Thomas Cherel Novice


                        Most likely.
                        The login operation is a JAAS defined operation.
                        The other ones are specific to the AbstractServerLoginModule to make your life easier so you do not have to worry about the other JAAS defined operations (initialize, commit, abort and logout).

                        Thomas

                        • 9. Re: Custom Login Module
                          Krishnaswamy.V Newbie

                          i have a doubt
                          say i have configured a client login module,
                          how can i call jboss server side login module to do the actuall login operation?
                          say in weblogic if i call Authenticate.authenticate()
                          it executes all login module avialble the server side stack so my server side login does the login operation.
                          what is the equvalent way in JBOSS?

                          • 10. Re: Custom Login Module
                            Thomas Cherel Novice


                            I believe that JBoss and WebLogic are not working the same way.

                            With WebLogic, when you call login on your client side, this will indeed go back to the server to perform the authentication (or something like that).

                            With JBoss, client side login does nothing except associating the user credentials with the current security context. You server side login modules will be invoked at the first EJB request, using the credentials collected though the client login module.

                            Thomas

                            • 11. Re: Custom Login Module
                              PanduR PSwamy Newbie

                              Hi,
                              I am also in the same situation. Oneof the application I am migrating from weblogic to jboss is using weblogic security extension, acls, groups,acls, permissions, User info etc...
                              Could you help me how to map the weblogic equivalents to jboss?
                              You can mail me at pswamy_2000@rediffmail.com

                              Reagrds,
                              Pandu

                              • 12. Re: Custom Login Module
                                Ashwin Kumar Karkala Newbie

                                I think you will not find a one-to-one match from weblogic to jboss. The best way to do this is to understand what actually needs to happen during the login (from your application perspective, security rules etc etc) and the have these coded into one (or more) LoginModule implementations.
                                Then in the login-conf.xml you can define a realm/domain with this one (or more) modules and use that realm in your application jboss.xml.

                                Moral of the story... dont try to do a one to one match. It may not be possible and you might end up doing stuff to the code that is not architecturally sound and unmanagable.