5 Replies Latest reply on Apr 2, 2008 8:29 AM by Ido Weiss

    UsernamePasswordLoginModule and client origin

    Ido Weiss Newbie

      I have a subclass of UsernamePasswordLoginModule, and I want to use different authentication logic for clients that run on the server machine and clients that run on remote machines.
      How can I obtain the client origin from within the Login Module instance?

        • 1. Re: UsernamePasswordLoginModule and client origin
          Ragav Gomatam Novice

          You will l have to write a Tomcat Valve....I have posted the codesome where in this or Tomcat/Httpd/Servlets/Jsp forum here under Jboss.....

          • 3. Re: UsernamePasswordLoginModule and client origin
            Ido Weiss Newbie

            A small addition, my clients are EJB Java clients, some are processes that run on the JBoss machine (the "local" clients), and some are Java EJB client applications running on external machines

            • 4. Re: UsernamePasswordLoginModule and client origin
              Ragav Gomatam Novice

              Remote Ejb's clients look up the jndi to get the ejb handle...Prior to that they log in as follows.

              import javax.security.auth.Subject;
              import javax.security.auth.login.LoginContext;
              import javax.security.auth.login.LoginException;
              
              public class CustomClient {
              
               /**
               * @param args
               */
               @SuppressWarnings("unchecked")
               public static void main(String[] args) {
               LoginContext ctx = null;
               try {
               ctx = new LoginContext("client-login", new CustomHandler(args[0],
               args[1],args[2]));
               ctx.login();
              
              // Look up ejb after jaas login above and invoke it in your PriviligedAction
              
               Subject.doAs(ctx.getSubject(), new CustomAction());
              
               } catch (LoginException le) {
               System.err.println("LoginContext cannot be created. "
               + le.getMessage());
               System.exit(-1);
               } catch (SecurityException se) {
               System.err.println("LoginContext cannot be created. "
               + se.getMessage());
               }
               }
              
              }



              import java.security.PrivilegedAction;
              
              public class CustomAction implements PrivilegedAction {
              
               public Object run() {
               //Look up ejb & invoke methods
               }
              
              }




              Call back handler Implementation. In addition to Name, Password, ask user to enter IP information through TextInputCallback as shown..Retrieve this in your Login Module login()...Verify the presence of client IP in the login() ...If absent throw exception.....Hope this helps


              import javax.security.auth.callback.Callback;
              import javax.security.auth.callback.CallbackHandler;
              import javax.security.auth.callback.NameCallback;
              import javax.security.auth.callback.PasswordCallback;
              import javax.security.auth.callback.TextInputCallback;
              import javax.security.auth.callback.UnsupportedCallbackException;
              
              public class CustomHandler implements CallbackHandler {
              
               private String name;
               private String password;
               private String text;
              
               public void handle(Callback[] callbacks)
               throws UnsupportedCallbackException {
               for (int i = 0; i < callbacks.length; i++) {
               if (callbacks instanceof NameCallback) {
               NameCallback nc = (NameCallback) callbacks;
               nc.setName(this.name);
               } else if (callbacks instanceof PasswordCallback) {
               PasswordCallback pc = (PasswordCallback) callbacks;
               pc.setPassword(this.password.toCharArray());
               } else if (callbacks instanceof TextInputCallback) {
               TextInputCallback tc = (TextInputCallback) callbacks;
               pc.setText(this.text);
               } else {
               throw (new UnsupportedCallbackException(callbacks,
               "Callback handler not support"));
               }
               }
               }
              
               public CustomHandler(String name, String password,String text) {
               this.name = name;
               this.password = password;
               this.text = text;
               }
              
               }


              For Local Clients, which I assume are web based....That is whose calls would be over Http, you could use the Tomcat Valve to introspect the IP...

              • 5. Re: UsernamePasswordLoginModule and client origin
                Ido Weiss Newbie

                Thanks ragavgomatam.
                Thing is, because this is a security issue, I can not rely on clients to provide their genuine ip address, as attackers will provide a false one. Instead the solution requires figuring out their real origin.