I have a similar situation that I'm trying to figure out and would be interested in this as well. Specifically, I would like to know how to integrate authentication so that when people authenticate to nukes, they are also authenticated to other webapps using the same credentials. Our existing applications use JAAS for authentication. Is there a way to propagate a nukes login to another app via JAAS?

Thanks,
gary.

Same problem here. I am trying to integrate an existing JSF application with nukes, and specifically some of the login front-end, as well as newsgroups, etc. modules.

I am trying to use a module to proxy to the JSPs, but I am struggling with that. Anyway someone could post further details than what's available on the Wikis?

Thanks,
Serge

No takers on this? Somebody, somewhere has to have done this before. It's a pretty critical subject IMO.

The last thing I want is to have a site that is like every other PHP/Perl site out there where you have to login to all the cobbled together applications because there is no common authentication system.

Last I knew, Nukes did not use JAAS. Is that still the case? If not, any plans to make Nukes use JAAS?

gary.

I looked at it and decided to wait for the port of Nukes to a more recent JBoss to use a class of JBossSX that doesn't exist in the JBoss version we support.

That new class will offer more flexibility. The problem is that we want an easy install process for default behavior.

We don't want users to mess with:
$JBOSS_HOME/server/default/conf/login-config.xml

Instead JAAS configuration should be setup at deployment, it will be an easy fix as soon as we support JBoss 3.2.4 and above.

I created a .sar file for one of my applications that dynamically adds it's security domain to JBoss without mucking with login-config.xml. It was extremely easy to do and took about an hour. If you are interested, I can post further info. I'd love to see this feature implemented earlier rather than later.

FYI, my solution works on 3.2.1. I've not tried it on newer versions, but I'd think it should work.

gary.

I am interested, please tell me more on how you did here on the forum or you can email me if you want to add some code at users.sourceforge.net
preceded by theute@

I can't take full credit for all of the code because I found the concept and most of the code via google. But, I can't locate the original source it seems. I've tried some searches but no luck so far. If I can find the URL for where I found the original code, I will post it to give credit to the author.

Here are the files that make up my service...

MBean interface:
----------------------------------------------------------------

import org.jboss.system.ServiceMBean;

/**
 * An mbean interface for a config service that pushes an xml based
 * javax.security.auth.login.Configuration onto the config stack managed by
 * the mbean whose name is given by the SecurityConfigName attribute.
 *
 **/
public interface SecurityConfigMBean extends ServiceMBean
{
 /**
 * Get the classpath resource name of the security configuration file
 **/
 public String getAuthConfig();

 /**
 * Set the classpath resource name of the security configuration file
 **/
 public void setAuthConfig(String configURL);

 /**
 * Get the name of the SecurityConfig mbean whose pushLoginConfig and
 * popLoginConfig ops will be used to install and remove the xml login
 * config
 **/
 public String getSecurityConfigName();

 /**
 * Set the name of the SecurityConfig mbean whose pushLoginConfig and
 * popLoginConfig ops will be used to install and remove the xml login
 * config
 **/
 public void setSecurityConfigName(String objectName);

import java.net.URL;
import java.util.Hashtable;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import org.jboss.security.auth.login.XMLLoginConfig;
import org.jboss.system.ServiceMBeanSupport;
import org.apache.log4j.Logger;

/**
 * A security config mbean that loads an xml login configuration and
 * pushes a XMLLoginConfig instance onto the the config stack managed by
 * the SecurityConfigName mbean(default=jboss.security:name=SecurityConfig).
 *
 **/
public class SecurityConfig extends ServiceMBeanSupport
 implements SecurityConfigMBean
{
 // Constants -----------------------------------------------------

 // Attributes ----------------------------------------------------
 private String authConf = "login-config.xml";
 private XMLLoginConfig config = null;
 private ObjectName mainSecurityConfig;
 protected Logger log = Logger.getLogger(SecurityConfig.class);

 // Static --------------------------------------------------------

 // Constructors --------------------------------------------------
 public SecurityConfig()
 {
 setSecurityConfigName("jboss.security:service=SecurityConfig");
 }

 // Public --------------------------------------------------------
 /**
 * Get the name
 **/
 public String getName()
 {
 return "JAAS Login Config";
 }

 /**
 * Get securityConfigName
 **/
 public String getSecurityConfigName()
 {
 return mainSecurityConfig.toString();
 }

 /**
 * Set securityConfigName
 **/
 public void setSecurityConfigName(String objectName)
 {
 try
 {
 mainSecurityConfig = new ObjectName(objectName);
 }
 catch(Exception e)
 {
 log.fatal("Failed to create ObjectName", e);
 }
 }

 /**
 * Get the resource path to the JAAS login configuration file to use.
 **/
 public String getAuthConfig()
 {
 return authConf;
 }

 /**
 * Set the resource path to the JAAS login configuration file to use.
 * The default is "login-config.xml".
 **/
 public void setAuthConfig(String authConf)
 {
 this.authConf = authConf;
 }

 // Protected --------------------------------------------------------
 /**
 * Start the service.
 **/
 protected void startService() throws Exception
 {
 // Look for the authConf as resource
 ClassLoader loader = Thread.currentThread().getContextClassLoader();
 URL loginConfig = loader.getResource(authConf);
 if( loginConfig != null )
 {
 String securityConfigName = "MySecurityConfig";
 log.info("Using securityConfigName: '"+securityConfigName+"'");
 log.info("Using JAAS AuthConfig: "+loginConfig.toExternalForm());
 config = new XMLLoginConfig();
 config.setConfigURL(loginConfig);
 config.start();
 MBeanServer server = super.getServer();
 ObjectName name = super.getServiceName();
 Hashtable props = name.getKeyPropertyList();
 props.put(securityConfigName, "XMLLoginConfig");
 name = new ObjectName(name.getDomain(), props);
 server.registerMBean(config, name);
 Object[] args = {name.toString()};
 String[] sig = {String.class.getName()};
 server.invoke(mainSecurityConfig, "pushLoginConfig", args, sig);
 }
 else
 {
 log.warn("No AuthConfig resource found");
 }
 }

 /**
 * Stop the service.
 **/
 protected void stopService() throws Exception
 {
 String securityConfigName = "PanelSecurityConfig";
 log.info("Using securityConfigName: '"+securityConfigName+"'");
 MBeanServer server = super.getServer();
 ObjectName name = super.getServiceName();
 Hashtable props = name.getKeyPropertyList();
 props.put(securityConfigName, "XMLLoginConfig");
 name = new ObjectName(name.getDomain(), props);
 Object[] args = {};
 String[] sig = {};
 server.invoke(mainSecurityConfig, "popLoginConfig", args, sig);
 server.unregisterMBean(name);
 }
}

<?xml version="1.0" encoding="UTF-8"?>
<server>
 <mbean code="com.innovationsw.panel.security.jmx.SecurityConfig"
 name="ISG.panel:service=PanelSecurityLoginConfig">
 <attribute name="AuthConfig">META-INF/login-config.xml</attribute>
 <!-- The service which supports dynamic processing of login-config.xml
 configurations.
 -->
 <depends>jboss.security:service=XMLLoginConfig</depends>
 <!-- Optionally specify the security mgr service to use when
 this service is stopped to flush the auth caches of the domains
 registered by this service.
 -->
 <!-- only in jboss 4.0 series
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 -->
 </mbean>
</server>

<policy>
 <application-policy name = "MyRealm">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "dsJndiName">java:/MyDS</module-option>
 <module-option name = "principalsQuery">SELECT password FROM users WHERE username=?</module-option>
 <module-option name = "rolesQuery">SELECT role,rolegroup FROM users_role WHERE username=?</module-option>
 <module-option name = "unauthenticatedIdentity">nobody</module-option>
 </login-module>
 </authentication>
 </application-policy>
</policy>

I still want to stick with DynamicLoginConfig as it's fully integrated with JBoss:
http://www.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

I understand the drawback is that Nukes won't be compatible with JBoss 3.2.3 and lower.

Julien the project leader will decide.

If there is more to say about design we should use the dev forum.

Thanks for sharing your code.

Ok. I had found the DynamicLoginConfig, but I'm not able to use the supported versions of JBoss yet, so needed something more immediate. If the work to make Nukes run on a late model JBoss will take considerable effort, the 1 or 2 hours of effort to implement my code would probably be worth it. It can always be deprecated and may get the project to support JAAS that much sooner.

Just my thoughts.

the code you are using is more or less directly out of the examples included w/ the jboss admin book. (at least w/ the paid subscription)

if you're in a hurry to get this done, there's nothing wrong w/ deploying the code yourself and then migrating once > 3.2.4 is supported. you're still going to need a deployment descriptor in order to hook up the secuirty configuration.

i already have this code written and more or less readily at hand. if you want it, pls let me know and i'll send it to you.

What is it that your code will accomplish? Is it code that integrates nukes with JAAS? My end goal is to have nukes integrated with other J2EE applications. If your code will help in this regard, then I guess I'm interested.

So far, I've not really found any other options for doing this.

no - it's just the code that you already pasted, but in .java file form.