4 Replies Latest reply on Aug 25, 2005 4:37 AM by flarosa

    Can I create a J2EE-generic authentication module?

    flarosa

      Hi,

      I want to create my own authentication module. I guess I could extend org.jboss.security.auth.spi.UsersRolesLoginModule or one of its superclasses, but I'm wary of losing portability to other application servers if I use a jboss-specific class or interface.

      Is there a generic J2EE way to build an authentication module that is portable across application servers?

      Thanks,
      Frank

        • 1. Re: Can I create a J2EE-generic authentication module?
          tcherel

          Unfortunately, not really.
          The JAAS basic capabilities are common to all application server, but when writing your own custom JAAS login modules, in order to fully integrate it with the app server, you will have to write some app server specific code:

          - If you want to specify what are the roles of the user during the authentication, this is done in an app server specific way (a Group with a specific name for JBoss, an instance of a specific class for WebLogic, etc...).

          - If you want to have you JAAS login module to "interact" with other JAAS login modules of the app server (for example, you just want to extend some capabilities of the app server existing JAAS login module), then this will also be some app server specific code (the JAAS login modules shared state mechanism is used in most cases, but how it is used - what you have to put in it - is app server specific).

          Thomas

          • 2. Re: Can I create a J2EE-generic authentication module?
            niwhsa

            You can write your own JAAS login module and plug it into the conf/login-config.xml file.
            If you want complete portability ensure that you custom implement the Principal and Group classes and dont use the ones from JBoss. I have done this successfully. There is no issue with that.

            Once you have done this, you can take this LoginModule anywhere as its fully portable and not dependant on JBoss.

            • 3. Re: Can I create a J2EE-generic authentication module?
              tcherel

              With JBoss, as part of your login module, if you want to specify what are the roles of the user, you need to create a Group class instance (agree, it does not need to be the one form JBoss) with a specific name (JBoss specific).
              The fact that this Group instance with this specific name is used to specify the user roles is 100% JBoss specific and is not portable.
              If you are using your own Group class, yes, your code will compile with another application server and yes you will be able to configure your module with another app server, but it will not work if you also want to specify the roles of the user (for example, WebLogic does it differently).

              Thomas

              • 4. Re: Can I create a J2EE-generic authentication module?
                flarosa

                Thanks for the tips. I decided I don't mind implementing a jboss-specific class for now and porting it later.

                I read the docs and I think I understand how to extend UsernamePasswordLoginModule. However I've never tried to integrate authentication with a J2EE application server before, so I find myself asking a couple of questions which are probably pretty basic:

                (1) A user submits a name and password on a form in a web application. How do I present these to JBoss for authentication via my module?

                (2) A user is authenticated in a web application. Does the authentication become associated with the HTTP session? If so, how do I access it on subsequent requests?

                Thanks.