• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

auth-method none? for a JBoss simple SSO using digital signature?

 
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I have made a simply SSO solution for us using digital signature in a parameter of the request (We recive simple request from a third party that we trust).

My LoginModule takes the request and validates if it trust the digital signature of the request. If it trusts, the login is Ok.
The problem that I have is that in the web.xml <auth-method> I have to put FORM,BASIC,DIGEST or CLIENT-CERT. There is somthing like none? Because I don't want any interaction with the user, and I don't need any info (only the request).

What I have know is a "working" solution with the problem that the user gets a BASIC auth dialog asking the password, what it's entered doesn't matter because the Loginmodule only looks at the request.

My question is there is something like auth-method NONE, or any workarround to don't ask any info to the user?�

A workarround that I have in mind, is use a nonprotected servlet in the app that manually puts the credentials. But, is that possible?

I've been reading at the docs of Jboss but I dont know.
I have:


The problem is that this is a local LoginContext, isn't it? How can I get the LoginContext that Jboss uses for the webapp?

A lot, lot, lot of thanks in advance, because this is a little nigthmare
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

My question is there is something like auth-method NONE, or any workarround to don't ask any info to the user?�



Let me tell you, i am not good at the security related stuff. But going by what you mention as a requirement, you are looking for programatic login instead of declarative login. In your case you need not mention the restrictions in the web.xml. You can have an unsecured servlet, where you can do the programatic login.

Now coming to your other question

The problem is that this is a local LoginContext, isn't it? How can I get the LoginContext that Jboss uses for the webapp?



There's a file in %JBOSS_HOME%/server/default/conf folder named login-config.xml where you mention your application policy:

The outline of the application-policy is:
<application-policy name="xclinicportal">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>

<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>



You can then use this login module from the servlet through the code that you have already posted.
 
Joan Pujol
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's correct. A programatic login is ok for me. I can use a non protected server to to the task.

But the problem is that then I don't know how to put manually a credential in my jboss realm..... (That's a requirement for me).

I've been reading Jboss documentation but it's a little nigthmare.

Cheers,
 
Joan Pujol
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jaikiran Pai:


You can then use this login module from the servlet through the code that you have already posted.



Yes I can use the login module code. But then the credentials aren't put on the session.
I need to get the LoginContext that Jboss uses when I put restrictions in the apps to leave the credentials in the session.

Cheers,
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

But the problem is that then I don't know how to put manually a credential in my jboss realm..... (That's a requirement for me).



You mean, once you have logged in programatically, you want to pass the credentials forward? That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml. This might not make much sense unless you are able to you get the configurations right, first. Have you been able to add your application policy the the config file and use it in the servlet? If not, then i would start with this as a first step.
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jaikiran Pai:
That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml.



To know more about how to do this, look at Q3 at JBossSecurityFAQ
 
Joan Pujol
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jaikiran Pai:


You mean, once you have logged in programatically, you want to pass the credentials forward? That can be done by adding the ClientLoginModule to your application policy that you configured in the login-config.xml. This might not make much sense unless you are able to you get the configurations right, first. Have you been able to add your application policy the the config file and use it in the servlet? If not, then i would start with this as a first step.



Yes the login modules work OK, and my loginmodule succefully validates de user. But the credentials aren't propagated.
I tried to add the ClientLoginModule but it doesn't works for me. When I go to another app with the same realm there is no credential.
 
Joan Pujol
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been investigating a little more an thats what I have:



This is the debug code I get just after lc.login in my servlet.



The problem is that then when the servlet ends I had this stacktrace:



And when the arrives at BasicAuthenticator I get:



It looks as if the credential are deleted, aren't they?

The login-config.xml has:



Someone can help in this nigthmare?�
 
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a question, should this thread go the Servlet forum or the JBoss forum?

It is not an EJB question.

Mark
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Its specific to JBoss so JBoss forum would be right
 
That's a very big dog. I think I want to go home now and hug this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic