• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Disabling basic authentication

 
Greenhorn
Posts: 20
Eclipse IDE Oracle
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hallo!

I have a JBOSS AS 4.3 web service application that has basic authentication using the 'UsersRolesLoginModule' configured using login-config.xml, web.xml, jboss-web.xml, user.properties etc. All authentication works fine till now!

The new 'unique' requirement (almost a reversal of the original requirement!!!) is that this authentication needs to be flag based! This is because the client may be delayed in getting the changes ready to invoke with username/password. Until then, we want the new changes to be deployed and "some configuration" on the server to switch OFF the authentication until the client is ready. When the client is ready, we switch the configuration ON. The idea is NOT to change the application ear!

In short, I would pass a null username and password, and it should go through. Tried the following ...

1. Setting 'unauthenticatedIdentity' property -- but it doesn't work!
2. Tried custom login module -- it doesn't get invoked when username and password is null!
3. Removing realm info from login-config.xml -- goes hunting for the defaultSecurityAuthentication i.e. defaultuser.properties

Interesting problem, and would like to know different views...

Regards
Jinu
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a weird and potentially problematic requirement in terms of security. But if that's what you want, then take a look at this Security on JBoss chapter http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html and pay special attention to section 8.4.4 which explains the possible values of "flag" attribute on a login module within a login module stack. I think you might be able to come up with something by properly setting up the login module stack and the flag attribute on them.
 
Jinu Vijay
Greenhorn
Posts: 20
Eclipse IDE Oracle
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jaikiran

Appreciate your reply! True its weird, but also a challenge ;-)

I had seen the flag that you suggested but inevitably that is useful if you have multiple login modules for a fall through mechanism.

I investigated further to find the root cause, and realize that the apache server rejects the request before it being evaluated by the jboss security realm.

Apache logs:
2013-11-05 10:22:54,778 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2013-11-05 10:22:54,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test


Class: org.apache.catalina.authenticator.BasicAuthenticator.java
Method: public boolean authenticate(Request request, Response response, LoginConfig config)
...

...

Since this authorization is null (when no username and password is provided), it sends back unauthorized result.

References:
http://www.docjar.com/html/api/org/apache/catalina/authenticator/AuthenticatorBase.java.html
http://www.docjar.com/html/api/org/apache/catalina/authenticator/BasicAuthenticator.java.html

At least a new learning ...

Thanks!
Jinu
 
When it is used for evil, then watch out! When it is used for good, then things are much nicer. Like this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic