File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes EJB and other Java EE Technologies and the fly likes auth-method none? for a JBoss simple SSO using digital signature? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "auth-method none? for a JBoss simple SSO using digital signature?" Watch "auth-method none? for a JBoss simple SSO using digital signature?" New topic
Author

auth-method none? for a JBoss simple SSO using digital signature?

Joan Pujol
Ranch Hand

Joined: Oct 12, 2005
Posts: 54
Hello,

I have made a simply SSO solution for us using digital signature in a parameter of the request (We recive simple request from a third party that we trust).

My LoginModule takes the request and validates if it trust the digital signature of the request. If it trusts, the login is Ok.
The problem that I have is that in the web.xml <auth-method> I have to put FORM,BASIC,DIGEST or CLIENT-CERT. There is somthing like none? Because I don't want any interaction with the user, and I don't need any info (only the request).

What I have know is a "working" solution with the problem that the user gets a BASIC auth dialog asking the password, what it's entered doesn't matter because the Loginmodule only looks at the request.

My question is there is something like auth-method NONE, or any workarround to don't ask any info to the user?�

A workarround that I have in mind, is use a nonprotected servlet in the app that manually puts the credentials. But, is that possible?

I've been reading at the docs of Jboss but I dont know.
I have:


The problem is that this is a local LoginContext, isn't it? How can I get the LoginContext that Jboss uses for the webapp?

A lot, lot, lot of thanks in advance, because this is a little nigthmare
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10067
    
163

My question is there is something like auth-method NONE, or any workarround to don't ask any info to the user?�


Let me tell you, i am not good at the security related stuff. But going by what you mention as a requirement, you are looking for programatic login instead of declarative login. In your case you need not mention the restrictions in the web.xml. You can have an unsecured servlet, where you can do the programatic login.

Now coming to your other question
The problem is that this is a local LoginContext, isn't it? How can I get the LoginContext that Jboss uses for the webapp?


There's a file in %JBOSS_HOME%/server/default/conf folder named login-config.xml where you mention your application policy:

The outline of the application-policy is:
<application-policy name="xclinicportal">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>

<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>


You can then use this login module from the servlet through the code that you have already posted.


[My Blog] [JavaRanch Journal]
Joan Pujol
Ranch Hand

Joined: Oct 12, 2005
Posts: 54
That's correct. A programatic login is ok for me. I can use a non protected server to to the task.

But the problem is that then I don't know how to put manually a credential in my jboss realm..... (That's a requirement for me).

I've been reading Jboss documentation but it's a little nigthmare.

Cheers,
Joan Pujol
Ranch Hand

Joined: Oct 12, 2005
Posts: 54
Originally posted by Jaikiran Pai:


You can then use this login module from the servlet through the code that you have already posted.


Yes I can use the login module code. But then the credentials aren't put on the session.
I need to get the LoginContext that Jboss uses when I put restrictions in the apps to leave the credentials in the session.

Cheers,
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10067
    
163

But the problem is that then I don't know how to put manually a credential in my jboss realm..... (That's a requirement for me).


You mean, once you have logged in programatically, you want to pass the credentials forward? That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml. This might not make much sense unless you are able to you get the configurations right, first. Have you been able to add your application policy the the config file and use it in the servlet? If not, then i would start with this as a first step.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10067
    
163

Originally posted by Jaikiran Pai:
That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml.


To know more about how to do this, look at Q3 at JBossSecurityFAQ
Joan Pujol
Ranch Hand

Joined: Oct 12, 2005
Posts: 54
Originally posted by Jaikiran Pai:


You mean, once you have logged in programatically, you want to pass the credentials forward? That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml. This might not make much sense unless you are able to you get the configurations right, first. Have you been able to add your application policy the the config file and use it in the servlet? If not, then i would start with this as a first step.


Yes the login modules work OK, and my loginmodule succefully validates de user. But the credentials aren't propagated.
I tried to add the ClientLoginModule but it doesn't works for me. When I go to another app with the same realm there is no credential.
Joan Pujol
Ranch Hand

Joined: Oct 12, 2005
Posts: 54
I have been investigating a little more an thats what I have:



This is the debug code I get just after lc.login in my servlet.



The problem is that then when the servlet ends I had this stacktrace:



And when the arrives at BasicAuthenticator I get:



It looks as if the credential are deleted, aren't they?

The login-config.xml has:



Someone can help in this nigthmare?�
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

I have a question, should this thread go the Servlet forum or the JBoss forum?

It is not an EJB question.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10067
    
163

Its specific to JBoss so JBoss forum would be right
 
 
subject: auth-method none? for a JBoss simple SSO using digital signature?