2 Replies Latest reply on Oct 10, 2006 1:33 AM by jaikiran pai

    Q about login config

    Kumar Abhishek Newbie

      Q1:
      I have an application that I am able to deploy and run on JBoss app server. I use a custom LoginModule for authenticating users into this application. The LoginModule is configured in <jboss_server_path>/conf/login-config.xml as:

      <application-policy name="gsnx.security.Login">

      <login-module code="com.gsnx.core.server.security.LdapLoginModule" flag="required">
      <module-option name="initial-context-factory">com.sun.jndi.ldap.LdapCtxFactory
      </module-option>
      <module-option name="user-password-changepw-gsnx-handler">com.gsnx.core.server.security.LdapLoginModule
      </module-option>
      <module-option name="ldap-url">ldap://127.0.0.1:389</module-option>
      <module-option name="connection-username">cn=Manager,dc=gsnx,dc=com</module-option>
      <module-option name="connection-password">changeme</module-option>
      <module-option name="connection-protocol">ldap</module-option>
      <module-option name="authentication">simple</module-option>
      <module-option name="user-search-base">dc=gsnx,dc=com</module-option>
      <module-option name="user-search-pattern">cn={0}</module-option>
      <module-option name="user-search-scope-subtree">true</module-option>
      <module-option name="user-password-attribute"/>
      <module-option name="role-search-base"/>
      <module-option name="role-name-attribute"/>
      <module-option name="role-search-pattern"/>
      <module-option name="role-search-scope-subtree"/>
      <module-option name="user-role-attribute"/>

      </login-module>


      </application-policy>

      As can be seen the custom loginModule contacts an LDAP server for authentication. All this works fine as long as I can edit the conf/login-config.xml file in my JBoss app server configuration to include my custom loginModule.

      Now, for certain organizational reasons, I do not want to edit the conf/login-config.xml file in JBoss app server's path. So my Q is, is there a way I can configure my custom LoginModule without ever needing to edit the conf/login-config.xml in Jboss's path? Can I somehow provide an additional login-config.xml inside my application's path? Or is there some other way to configure the custom LoginModule so that the configuration remains completely inside the application and does not affect any of the default configuration files for the JBoss app server?


      Q2:
      Another issue related to the above situation is that I have an external Java RMI program that uses the same custom LoginModule as above for authentication. The loginModule is configured for this external RMI program in a login.config file that is in the classpath in the following way:

      gsnx.security.Login
      {
      com.gsnx.core.server.security.LdapLoginModule required
      initial-context-factory="com.sun.jndi.ldap.LdapCtxFactory"
      ldap-url="ldap://devwrk65.dev.e2open.com:389"
      connection-username="cn=Manager,dc=gsnx,dc=com"
      connection-password="slapface"
      connection-protocol="ldap"
      authentication="simple"
      user-search-base="dc=gsnx,dc=com"
      user-search-pattern="cn={0}"
      user-search-scope-subtree="true"
      user-password-changepw-gsnx-handler="com.gsnx.core.server.security.LdapLoginModule"
      user-password-attribute="userPassword"
      role-search-base=""
      role-name-attribute=""
      role-search-pattern=""
      role-search-scope-subtree=""
      user-role-attribute="";
      };

      Additionally, an entry is added to <JAVA_HOME>/jre/lib/security/java.security file:

      login.config.url.1=file\:C\:/gsnxst/deploy/conf/login.config

      Basically, the entry in java.security points to the login.config that has the configuration for the custom LoginModule. Once again, this works fine as long as I can edit the java.security file in JAVA_HOME. But, again for organizational reasons, I do not want to edit the JAVA_HOME java installation files. Is there another way to configure my custom LoginModule for java so that I do not have to physically mess around with the Java configuration. There could be other Java programs, running on the same machine, and I don't want them affected by my login.config setting. Is there another alternative way to configure the custom LoginModule for java?

      Thanks and will appreciate all responses

        • 1. Re: Q about login config
          jaikiran pai Master

           

          I do not want to edit the JAVA_HOME java installation files. Is there another way to configure my custom LoginModule for java so that I do not have to physically mess around with the Java configuration. There could be other Java programs, running on the same machine, and I don't want them affected by my login.config setting. Is there another alternative way to configure the custom LoginModule for java?


          This can be done programatically as follows:

          System.setProperty("java.security.auth.login.config","C:/gsnxst/deploy/conf/login.config");


          Write this piece of code before instantiating the LoginContext, in your standalone java program.

          I do not want to edit the conf/login-config.xml file in JBoss app server's path. So my Q is, is there a way I can configure my custom LoginModule without ever needing to edit the conf/login-config.xml in Jboss's path? Can I somehow provide an additional login-config.xml inside my application's path? Or is there some other way to configure the custom LoginModule so that the configuration remains completely inside the application and does not affect any of the default configuration files for the JBoss app server?


          As far as i know, there is no other option for this. You will have to edit the login-config.xml shipped by JBoss



          • 2. Re: Q about login config
            jaikiran pai Master

             

            I do not want to edit the conf/login-config.xml file in JBoss app server's path. So my Q is, is there a way I can configure my custom LoginModule without ever needing to edit the conf/login-config.xml in Jboss's path? Can I somehow provide an additional login-config.xml inside my application's path? Or is there some other way to configure the custom LoginModule so that the configuration remains completely inside the application and does not affect any of the default configuration files for the JBoss app server?


            Just had a look at the JBoss source code. Looks like you can achieve this programatically. There's a MBean named XMLLoginConfigMBean. This has the following method:

            /** Add an application login configuration. Any existing configuration for
             the given appName will be replaced.
             */
             public void addAppConfig(String appName, AppConfigurationEntry[] entries);


            You can get the reference of this MBean programatically and invoke this method by passing the appropriate parameters. You need NOT maintain your own file containing the Login configurations.