2 Replies Latest reply on May 19, 2008 11:06 AM by Pieter Kuijpers

    'sufficient' loginmodules combined with ClientLoginModule

    Pieter Kuijpers Newbie

      I have the following requirements for my web application running on JBoss 4.2.1:

      - Users should be authenticated against an LDAP directory
      - In LDAP, a user is registered in one of two locations, say ou=A or ou=B. So, the DN for a user might be uid=X,ou=A or uid=X,ou=B
      - I need to perform programmatic web authentication

      The solution I have come up with is to use two LdapLoginModules: one for each location. Both login-modules are set to 'sufficient'.

       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
       <!-- regular options omitted -->
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=A</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
       <!-- regular options omitted -->
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=B</module-option>
       </login-module>
      


      This works as expected: authentication succeeds if the can be authenticated against one of the two LDAP locations.

      To propagate the authentication info to the container, I use the ClientLoginModule as mentioned in the SecurityFAQ. This is added as the third loginmodule in my configuration:

      <login-module code="org.jboss.security.ClientLoginModule" flag="required">
       <module-option name="restore-login-identity">true</module-option>
       <module-option name="multi-threaded">true</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
      


      What I want is that authentication fails when both Ldap loginmodules fail. In reality, authentication succeeds in that case, because the ClientLoginModule always succeeds. Thus, I have the two 'sufficient' ldap loginmodules fail, and the 'required' clientloginmodule succeed, resulting in a successful login.

      Is there a way to enforce that (at least) one of the ldap loginmodules succeed, and that the clientloginmodule is still invoked for a successful login?

        • 1. Re: 'sufficient' loginmodules combined with ClientLoginModul
          Ragav Gomatam Novice

          There are 4 jaas flags. (a) Sufficient - If this succeeds, no other module down the chain is invoked. Login succeeds (b) required -- This must succeed for overall authentication to succeed. If it fails control is passed to other module in the chain (c) requisite -- This must succeed. If it fails, control is not passed down the chain (d) Optional -- Well can pass/fail.

          Try as follows :-

          LdapModule1==>required
          LdapModule2==>required
          ClientModule==>Optional

          • 2. Re: 'sufficient' loginmodules combined with ClientLoginModul
            Pieter Kuijpers Newbie

            Thanks for the reply. However, that configuration doesn't do what I want:

            In this situation:
            LdapModule1 (required)=>pass
            LdapModule2 (required)=>fail
            ClientModule (optional)=>pass

            I want the authentication process to pass. But as LdapModule2 is required, the overall result is fail.

            Also, I want:
            LdapModule1=>fail
            LdapModule2=>fail
            ClientModule=>pass
            Overall=====>fail

            As far as I understand, there is no configuration that could do that. The problem is the ClientModule that always passes, even though it doesn't do any real authentication. I think it would be more sensible if ClientModule always returned 'fail', then we could flag it as 'optional'.