5 Replies Latest reply on Jul 25, 2008 3:26 PM by stanton fisque

    Using database for authorization ONLY?

    Tres Spicher Newbie

      Hi all,

      The web app I'm developing requires use of an LDAP server for authentication -- that is working fine. My question is, using existing tools, is it possible to use a database for role authorization only? DatabaseServerLoginModule seems to require the use of the Principals table, which is unnecessary for me. Any suggestions would be greatly appreciated.

      Tres

        • 1. Re: Using database for authorization ONLY?
          Boo Leong Khoo Newbie

          Try to set under the database login module to bypass authentication
          <module-option name="password-stacking">useFirstPass</module-option>

          If this doesn't work, then you've to modify the db login module to only lookup roles and skip authentication

          • 2. Re: Using database for authorization ONLY?
            Tres Spicher Newbie

            Thanks, that was very useful and exactly what I was looking for. Unfortunately, if I remove the Roles parameters from the LdapExtLoginModule configuration, the login fails. Is there any straightforward way to use LdapExtLoginModule for only the authentication portion of the login and to delegate all role assignment to the DatabaseServerLoginModule? Will I need to modify LdapExtLoginModule? If so, can you give me some pointers for doing so?

            If there is a better solution, I would also like to hear your suggestions. In our particular setup, the user names and passwords are part of a huge company-wide server. We have specific roles we need that will be used by a tiny subset of the company so modifying the LDAP server is not an option. We want to use the company's LDAP server for username/password verification, but use our own database to assign roles.

            I am desperately hoping for a response. I need to get this working in the next 2 days or I'm in trouble.

            • 3. Re: Using database for authorization ONLY?
              Boo Leong Khoo Newbie

              If i remember well. when the LdapExtLoginModule flag = "optional"
              the login will not fail as long as your next login module works to return the roles.
              Of course your next module's flag need to be 'required'

              If you really have to modify the ldap login module, just modify the LdapExtLoginModule's getRoleSets() method to return a dummy blank set.

              • 4. Re: Using database for authorization ONLY?
                Tres Spicher Newbie

                Thank you so much. You have been very helpful.

                • 5. Re: Using database for authorization ONLY?
                  stanton fisque Newbie

                  how did you achieve this? i am trying to do a similar thing:

                  1) attempt authentication via LDAP (using LdapExtLoginModule).

                  2) if failure, attempt authentication against the database (for "special case users" ) (using DatabaseServerLoginModule)

                  3) load the roles from the database regardless of which authentication succeeded.

                  i have the following login-config:

                  <application-policy name = "dual-auth">


                  <login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule"
                  flag = "optional">

                  <module-option name="baseCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
                  <module-option name="bindDN">cn=admin,dc=psr,dc=kryptiq,dc=com</module-option>
                  <module-option name="bindCredential">secret00/module-option>
                  <module-option name="baseFilter">(cn={0})</module-option>
                  <module-option name="rolesCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
                  <module-option name="roleAttributeIsDN">false<module-option>
                  <module-option name="roleAttributeID">role</module-option>

                  </login-module>

                  <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                  flag = "required">
                  <module-option name = "unauthenticatedIdentity">guest</module-option>
                  <module-option name = "dsJndiName">java:/jdbc/PSR</module-option>
                  <module-option name = "principalsQuery">SELECT PASSWORD as PASSWD FROM APP_USER WHERE LOGIN=?</module-option>
                  <module-option name = "rolesQuery">SELECT APP_PERMISSION.NAME as ROLEID, 'Roles' FROM APP_USER, APP_USER_ROLE, APP_ROLE_PERMISSION, APP_PERMISSION WHERE APP_USER.LOGIN=? AND APP_USER.ID = APP_USER_ROLE.USER_ID AND APP_USER_ROLE.ROLE_ID = APP_ROLE_PERMISSION.ROLE_ID AND APP_ROLE_PERMISSION.PERMISSION_ID = APP_PERMISSION.ID</module-option>

                  <module-option name="password-stacking">useFirstPass</module-option>

                  </login-module>

                  </application-policy>

                  if i comment out the LDAP part, it works fine for the "special case user" who exists only in the database. if i have both activated, the "special case user" never authenticates to my web-service (it is an ejb3 endpoint exposed via @WebService and @SecurityDomain annotations).

                  i made sure the "required" and "optional" flags are set and the "password-stacking" option is set. what else am i missing or is this setup not going to achieve what i need? does the "special" case user need to exist in the LDAP directory? i was under the impression that "optional" meant it would fail quietly and defer to later modules.

                  == stanton