13 Replies Latest reply on May 11, 2006 1:23 PM by Anil Saldanha

    How to enable 3 login parameters

    Hillel Bilman Newbie

      Hi,

      We need help on how to enable three login parameters i.e

      username:
      companyname:
      password:

      Which configuration files allow this or must one override the JBoss modules?

      For the databaseloginmodule you can change it to allow 3 login parameters but the second security verification called 'client-login', seems to have been written to only handle a single username and a single credential which up to now has been the password.

      Any help greatly appreciated.

        • 1. Re: How to enable 3 login parameters
          chris griffith Expert

          hillel,

          I would be real interested in seeing how others answer this question. I do not think it can be done. However, one hack that just came up with would be to submit your username as say 'username@company'. Then extend the necessary login modules to parse the username.

          later, cgriffith

          • 2. Re: How to enable 3 login parameters
            Hillel Bilman Newbie

            Hi,

            It?s just surprising that Jboss does not have the built in functionality to have more than one login parameter. If there is only a username and password login option, then you can get into the hotmail scenario where you can't find the username you want. If you use a company name as well, the usernames only needs to be unique within a company name, but can be the same across different company names.

            I hope one of the Jboss developers will answer.

            Rgds

            • 3. Re: How to enable 3 login parameters
              Anil Saldanha Master

              There are two approaches to web security:
              a) J2EE standard specified container based security.
              b) Developer/company/application based security.

              What you are asking is b). When a) is done, you are given portability.

              JBoss (Tomcat internally) just provides the username/password based security as part of the FORM based authentication as specified by the servlet spec.

              You can follow Chris's (j2ee_junkie) suggestion. But the main thing to remember is that what you are asking is not specified in any spec.

              • 4. Re: How to enable 3 login parameters
                chris griffith Expert

                Anil,

                Are you saying that when a Java EE standard spec. container based security is done it will allow for such adaptabliity?

                cgriffith

                • 5. Re: How to enable 3 login parameters
                  Hillel Bilman Newbie

                  Hi,

                  So you are saying there are no configuration files to enable this and we have to find a way to include the customer name in the username if we want to use J2EE standard specified container based security?

                  Thanks

                  • 6. Re: How to enable 3 login parameters
                    Anil Saldanha Master

                    A way to do this, starting 4.0.4.GA is to provide your own authenticator for FORM based authentication.

                    http://wiki.jboss.org/wiki/Wiki.jsp?page=ExternalizeTomcatAuthenticators

                    Your authenticator can weave in authentication to include the 3rd parameter, along with the standard authentication. Your authenticator will extend the FORM authenticator and will have to override the following method:
                    http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/authenticator/AuthenticatorBase.html#authenticate(org.apache.catalina.connector.Request,%20org.apache.catalina.connector.Response,%20org.apache.catalina.deploy.LoginConfig)

                    Your 3rd parameter will be available in the Catalina Request object. Note that you will need to retain the standard form in your html/jsp page while having a custom parameter.

                    I have said enough. Maybe somebody else (Chris??) can expand on this.

                    If what I am saying is convoluted, do application based security.

                    • 7. Re: How to enable 3 login parameters
                      Jonathan Rosenblitt Newbie

                      Hi

                      This is the actual problem we are encountering. We are using Jaas for login to the web container and to the ejb container. I have used the DatabaseServerLoginModule without any changes up to now. The initial logon page causes the DatabaseServerLoginModule to be called and then the first call to an ejb causes the DatabaseServerLoginModule to be called a second time after which the caching kicks in. This all works fine.

                      Now we would like to add a third parameter (username, password, reference) into the login process. I have changed my callback handler to accomodate this and am using the ObjectCallback to hold the reference. I have changed the DatabaseServerLoginModule and UsernamePasswordLoginModule to accomodate the new parameter. The initial logon to the web container works fine but the second login call to the ejb container fails.

                      I am aware that the Login Modules from JBoss which I am using were only written to accomodate the username and password. As far as I can ascertain the reason that the second login fails are that the ClientLoginModule is not passing the third parameter, and the SecurityAssociationHandler puts the password into the ObjectCallback and not the reference which is what I want. I also don't know at this stage how to call another method in the SecurityAssocationHandler that will handle 3 parameters.

                      So my problem here seems to be that I can't get my third parameter through the login process. I have tried to add it to the Subject as a new Principal without success. I have also tried to add it to the sharedState without success.

                      So my questions are
                      Can I override the ClientLoginModule with a new one.
                      Can I override the SecurityAssociationHandler.
                      Can I easily configure security to use the new modules.
                      Does my approach make any sense.
                      Am I on the right track or am I tackling something I should leave alone.
                      Can I just set the third parameter by calling the SecurityAssociation and then override the SecurityAssociationHandler to handle the third parameter.

                      • 8. Re: How to enable 3 login parameters
                        chris griffith Expert

                        Hey Gang,

                        What Anil has started is correct. Extending an Authenticator can allow you to customize obtaining authentication data in Tomcat from a Request/Session. More problems pop up down the road however that make this almost impossible to do without modifing JBossSX extensively.

                        For example, your custom authenticator then needs to refer authentication/authorization (A/A) to a realm. Thus, the realm needs to be extended to account for additional authentication data. That said, the extended realm (which should extend org.jboss.web.tomcat.security.JBossSecurityMgrRealm) is just an interface to a security manager (usually the org.jboss.security.plugins.JAASSubjectSecurityManager) through the isValid(Principal principal, Object credential,Subject activeSubject) method call. So to include an addition authentication data item would require extending this class. I could go on about all the classes that would need to be changed to handle this, but I won't.

                        I was hoping (even though I have not taken the time to investigate this for myself) that the work Anil has done to design/develop the next generation of JBossSX (http://jira.jboss.com/jira/browse/JBAS-2525) to implement JSR-196 would allow for such adaptablility. Please say this is so Anil?

                        Back to the problem at hand...

                        I would suggest doing one of two things. First try to combine your extra data into either the username or the password fields. Another less attractive approach would be to create a custom LoginModule with a ThreadLocal variable that could be set by cusom Authenticator. If you would like more detail, let me know.

                        good luck and have a great day, cgriffith


                        • 9. Re: How to enable 3 login parameters
                          chris griffith Expert

                          Hey, I just realized something over a good bowl of oatmeal.

                          I overlooked something that would not work for my environment, but could help you hillel. You could extend the FormAuthenticator as Anil has stated. Then extend the JBossSecurityMgrRealm by the addition of anauthenticate(String username, Object credential) method. The credential could then be a custom object you create that has password and company field. Let me know if you need more detail, and sorry for overlooking this the first time.

                          later, cgriffith

                          • 10. Re: How to enable 3 login parameters
                            Anil Saldanha Master

                             

                            "jrosenbl" wrote:
                            Hi

                            This is the actual problem we are encountering. We are using Jaas for login to the web container and to the ejb container. I have used the DatabaseServerLoginModule without any changes up to now. The initial logon page causes the DatabaseServerLoginModule to be called and then the first call to an ejb causes the DatabaseServerLoginModule to be called a second time after which the caching kicks in. This all works fine.

                            Now we would like to add a third parameter (username, password, reference) into the login process. I have changed my callback handler to accomodate this and am using the ObjectCallback to hold the reference. I have changed the DatabaseServerLoginModule and UsernamePasswordLoginModule to accomodate the new parameter. The initial logon to the web container works fine but the second login call to the ejb container fails.

                            I am aware that the Login Modules from JBoss which I am using were only written to accomodate the username and password. As far as I can ascertain the reason that the second login fails are that the ClientLoginModule is not passing the third parameter, and the SecurityAssociationHandler puts the password into the ObjectCallback and not the reference which is what I want. I also don't know at this stage how to call another method in the SecurityAssocationHandler that will handle 3 parameters.

                            So my problem here seems to be that I can't get my third parameter through the login process. I have tried to add it to the Subject as a new Principal without success. I have also tried to add it to the sharedState without success.

                            So my questions are
                            Can I override the ClientLoginModule with a new one.
                            Can I override the SecurityAssociationHandler.
                            Can I easily configure security to use the new modules.
                            Does my approach make any sense.
                            Am I on the right track or am I tackling something I should leave alone.
                            Can I just set the third parameter by calling the SecurityAssociation and then override the SecurityAssociationHandler to handle the third parameter.


                            Why not just do your application based security?

                            • 11. Re: How to enable 3 login parameters
                              Jonathan Rosenblitt Newbie

                              We concatenated the username and the third parameter and it works quite nicely. I had to make minor changes to DatabaseServerLoginModule and the Util class to split the string and to pass the extra parameter to the sql. The one thing to watch for so far is the string returned from a getPrincipal call.

                              Not the most elegant solution but I think the simplest within out time constraints.

                              thanks guys
                              jonathan

                              • 12. Re: How to enable 3 login parameters
                                chris griffith Expert

                                Anil,

                                In your statements...

                                There are two approaches to web security:
                                a) J2EE standard specified container based security.
                                b) Developer/company/application based security

                                and
                                Why not just do your application based security?

                                what do you mean by application based security?

                                cgriffith

                                • 13. Re: How to enable 3 login parameters
                                  Anil Saldanha Master

                                   

                                  "j2ee_junkie" wrote:
                                  Anil,
                                  what do you mean by application based security?


                                  Turn off container based security and do your own security via filters and servlets.