2 Replies Latest reply on Oct 26, 2007 12:58 PM by Anil Saldanha

    auth-method ¿NONE? for a simple SSO using digital signatures

    Joan Pujol Espinar Newbie

      Hello,

      I have made a simply SSO solution for us using digital signature in a parameter of the request (We recive simple request from a third party that we trust).

      My LoginModule takes the request and validates if it trust the digital signature of the request. If it trusts, the login is Ok.
      The problem that I have is that in the web.xml <auth-method> I have to put FORM,BASIC,DIGEST or CLIENT-CERT. There is somthing like none? Because I don't want any interaction with the user, and I don't need any info (only the request).

      What I have know is a "working" solution with the problem that the user gets a BASIC auth dialog asking the password, what it's entered doesn't matter because the Loginmodule only looks at the request.

      My question is there is something like auth-method NONE, or any workarround to don't ask any info to the user?¿

      A workarround that I have in mind, is use a nonprotected servlet in the app that manually puts the credentials. But, is that possible?
      I have readed that in the FAQ:

      Q21. How do I programatically establish an identity?
      A21: You need to perform a JAAS login against a configuration that includes the JBoss ClientLoginModule. When inside of a server/multi-threaded environment, the multi-threaded=true and restore-login-identity=true options should be enabled. An example login fragment:


      import javax.security.auth.login.LoginContext;
      import org.jboss.security.auth.callback.UsernamePasswordHandler;
      
       void runAsUser(String username, String password)
       {
       UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
       LoginContext lc = new LoginContext("client-login", handler);
       lc.login();
       // Any calls to secured resources now use the username/password identity
       ...
       // Clear and restore the previous identity
       lc.logout();
       }



      But it isn't clear to me. Anyone have a nicer example. What I only need is to put a principal and role in the realm X in a unprotected servlet.


      A lot of thanks in advance,