4 Replies Latest reply on Aug 30, 2004 11:37 AM by Daniel Boggs

    Licensing Question for Custom Login Module

    Daniel Boggs Newbie

      My company has a commercial application which is hosted in JBoss (version 3.2.3). We need a way to encrypt our database username/password, so I am looking at copying the code from the SecureIdentityLoginModule (from version 3.2.5) and writing our own similar login module which will fit our needs. Would this put us in violation of the LGPL license, or is doing this sort of thing considered "configuration"? If so, would we be in violation to create our own login module from scratch (which seems like a waste, considering we have the example)?


        • 1. Re: Licensing Question for Custom Login Module
          Scott Stark Master

          The LGPL license kicks in if you are redistributing jboss. If your not, the mods are irrelevent. If you are, the derived login module source should be made available under LGPL license. This can be done most simply by supplying the code as a patch to the sourceforge jboss project. If you can't do this, then you would need to create your own implementation that achieves the required encryption semantics.

          • 2. Re: Licensing Question for Custom Login Module
            Daniel Boggs Newbie

            I just want to clarify to make sure... if I were to write a login module that extended one of the JBoss login modules (such as the AbstractServerLoginModule) and distribute this with a commercial application, the mods would need to be made available under LGPL. But if I were to write a login module, simply extending the javax.security.auth.spi.LoginModule interface, and distribute this with a commercial application (i.e., application hosted by JBoss, and configured in JBoss to use the login module), there would be no need to make this change/addition available?


            • 3. Re: Licensing Question for Custom Login Module
              Scott Stark Master

              You did not say you were extending AbstractServerLoginModule in the first post. You said you were copying the SecureIdentityLoginModule and possibly modifying that. If you just link against jboss code by extending it in the java class sense, this is not creating a derived work which requires your login module code to be subject to the LGPL. If you copy the SecureIdentityLoginModule or make non-trivial use of its code in your login module, you are creating a derived work that is subject to the LGPL license.

              • 4. Re: Licensing Question for Custom Login Module
                Daniel Boggs Newbie

                FYI, for those interested: I ended up writing my own login module (really just a working skeleton right now) which simply extends ConfiguredIdentityLoginModule. It overrides the initialize method to perform decryption of the password, etc, as necessary. Here's the gist of what I have, as an example:

                Java Source:

                package mypackage;
                import javax.security.auth.Subject;
                import javax.security.auth.callback.CallbackHandler;
                import java.util.Map;
                import java.util.HashMap;
                import java.util.Collections;
                import org.jboss.resource.security.ConfiguredIdentityLoginModule;
                 * Extends the functionality of the JBoss ConfiguredIdentityLoginModule.
                 * Provides the ability to decrypt the principal, userName, and password.
                public class EncryptedConfiguredIdentityLoginModule extends ConfiguredIdentityLoginModule {
                 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
                 String encryptedPrincipal = (String)options.get("encryptedPrincipal");
                 String encryptedUserName = (String)options.get("encryptedUserName");
                 String encryptedPassword = (String)options.get("encryptedPassword");
                 boolean encryptPrincipal = Boolean.valueOf(encryptedPrincipal).booleanValue();
                 boolean encryptUserName = Boolean.valueOf(encryptedUserName).booleanValue();
                 boolean encryptPassword = Boolean.valueOf(encryptedPassword).booleanValue();
                 HashMap newOptions = new HashMap(options.size());
                 if (encryptPrincipal) {
                 String principal = (String)newOptions.get("principal");
                 if (principal != null) {
                 principal = decrypt(principal);
                 newOptions.put("principal", principal);
                 if (encryptUserName) {
                 String userName = (String)newOptions.get("userName");
                 if (userName != null) {
                 userName = decrypt(userName);
                 newOptions.put("userName", userName);
                 if (encryptPassword) {
                 String password = (String)newOptions.get("password");
                 if (password != null) {
                 password = decrypt(password);
                 newOptions.put("password", password);
                 Map opts = Collections.unmodifiableMap(newOptions);
                 super.initialize(subject, callbackHandler, sharedState, opts);
                 private String decrypt(String s) {
                 // TODO: perform decryption
                 // Note: could make this class and this method abstract;
                 // then specific subclasses could perform various methods of decryption as needed
                 return s;

                login-config.xml excerpt:

                 <application-policy name = "TestRealm">
                 <login-module code = "mypackage.EncryptedConfiguredIdentityLoginModule"
                 flag = "required">
                 <module-option name = "encryptedPrincipal">true</module-option>
                 <module-option name = "principal">myprincipal</module-option>
                 <module-option name = "encryptedUserName">true</module-option>
                 <module-option name = "userName">myuser</module-option>
                 <module-option name = "encryptedPassword">true</module-option>
                 <module-option name = "password">mypassword</module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=jdbc/MyDS</module-option>

                mssql-ds.xml excerpt: