9 Replies Latest reply on Jan 17, 2006 2:49 AM by Ramesh Raghavan

    Get list of users/roles no matter what JAAS security module

    Chris Miles Newbie

      Hello,

      I'm looking for a way to retrieve information from the installed security modules such as "list of users", "list of roles", "user member roles", etc etc in a generic way (ie: no code specific to the security module).

      WebLogic allows you to do this via MBeans and WebSphere allows you to do this via a JNDI lookup of the UserRegistry.

      I was hoping there is something equivalent in JBoss?

      Thank you

        • 1. Re: Get list of users/roles no matter what JAAS security mod
          Scott Stark Master

          All that currently exists is the getAuthenticationCachePrincipals op of the "jboss.security:service=JaasSecurityManager" mbean:

           /** The the list of active Principls for the given security domain
           * @param securityDomain - the security-domain name
           * @return List<Princpals> of active users, may be null.
           */
           List getAuthenticationCachePrincipals(String securityDomain);
          



          • 2. Re: Get list of users/roles no matter what JAAS security mod
            Chris Miles Newbie

            Thank you for your reply...

            Yes, I saw this and the other methods on the SecurityManager.

            Regarding this method, is this just a list of everyone that happens to have logged in, or does this actually return ALL the users in the Security implementation. So for example, if I'm hooked up to LDAP and I have 500 users defined, but only 2 have logged in. Does this return all 500 or just the 2.

            Thanks

            • 3. Re: Get list of users/roles no matter what JAAS security mod
              Scott Stark Master

              Only logged in as there is no way in general to query the security domain state as this is not a feature of JAAS.

              • 4. Re: Get list of users/roles no matter what JAAS security mod
                Chris Miles Newbie

                Thank you for your replies. You have been most helpful...

                • 5. Re: Get list of users/roles no matter what JAAS security mod
                  Chris Miles Newbie

                  I wanted to throw this out there and see if this is at all possible. In light of there not being anyway to get such things as "list of all users", "list of all roles" etc etc via JBoss, I was thinking about modifying the JBoss code to actually allow this. Here's what I was thinking:

                  1) Create a new abstract Login Module which extends AbstractServerLoginModule which provides the new methods such as getAllusers(), getAllRoles(), getRoleMembers() etc etc

                  2) Custom Login Modules could extend this new abstract Login Module and provide the code to return this new information from the actual Security Provider implementation

                  3) Expose these new methods in the JaasSecurityManager by implementing some other new interface. The JassSecurityManager would need to cycle through all the currently installed Login Modules for the given security domain and invoke the appropriate new methods.

                  The thing I wanted to know if it was possible was whether the JaasSecurityManager has access to the actual Login Module classes. So given a security domain can you get a handle to the actual Login Modules so that you could then call the new methods?

                  Any comments and information about the SecurityManager and Login Modules would be appreciated, thanks.

                  • 6. Re: Get list of users/roles no matter what JAAS security mod
                    Scott Stark Master

                    No, this won't be supported via further overloading the jaas login modules. They are not designed for this and nothing but the jaas implementation has access to the login modules. The only tangible output from jaas is a subject.

                    You might as well create a new security info service with its own pluggable query abstraction for obtaining this information.

                    • 7. Re: Get list of users/roles no matter what JAAS security mod
                      Chris Miles Newbie

                      ok, thx for the jaas info..

                      Your "security info service" alternative is our second option and we already have something like this in place. We just didn't want to write a specific plugin for each type of JBoss Login Module, but rather a App Server specific plugin. We already have a WebLogic and WebSphere plugin and it seems we'll have to for JBoss have a JBoss LDAP plugin, a JBoss Database plugin etc etc.

                      On this subject, is there a way from within an EJB app to be able to get access to the JBoss Login Module config parameters. So for instance, if you have an LDAP Login Module installed for JBoss, can we get access to the LDAP parameters you've setup for the Login Module? I'd rather use these then to duplicate them in our own property files.

                      Thank for your help.

                      • 8. Re: Get list of users/roles no matter what JAAS security mod
                        Chris Miles Newbie

                        I answered my own question. Here's some example code of how you can get access to the Login Modules config:

                        Configuration config = Configuration.getConfiguration();
                        AppConfigurationEntry[] entries = config.getAppConfigurationEntry("other");
                        for(int i = 0; i < entries.length; i++) {
                         AppConfigurationEntry entry = entries;
                         System.out.println("LoginModule Class: "+entry.getLoginModuleName());
                         System.out.println("ControlFlag: "+entry.getControlFlag());
                         System.out.println("Options:");
                         Map options = entry.getOptions();
                         Iterator iter = options.entrySet().iterator();
                         while(iter.hasNext()){
                         Entry e = (Entry) iter.next();
                         System.out.println("name="+e.getKey()+", value="+e.getValue());
                         }
                         }
                        


                        • 9. Re: Get list of users/roles no matter what JAAS security mod
                          Ramesh Raghavan Newbie

                          This is really interesting, to get the list of logged-in users. I am wondering if this would work in a browser client in a J2EE WebApp scenario. For example, I login to my service using JAAS. After a while, I exit the browser. How does JAAS know if I have logged out or still hanging around?
                          Would appreciate the answer, as I am seriously considering using this to get the *active* users.