File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Example Code for JAAS with JBoss? Got it to work by Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of JavaScript Promises Essentials this week in the JavaScript forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?" Watch "Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?" New topic
Author

Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?

Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
The JBoss Quickstart has code for how to set up JBoss to use JAAS, and make your beans work with that security-domain. However, their code is actually wrong and it took me a bit to figure it out (I'm more than happy to post how to do this correctly if anyone wants).
What they do not post, is what to do from the client to log in via JAAS. I checked in the JBoss/Client folder and there are no classes I can find in any jar that will allow a client to log in. In fact, the JBoss/Client/auth.conf file names a login config class to use that cannot even be found in ANY jar in the JBoss distribution. (I'm using JBoss 3.0.2) I finally did get it to work, but only by fudging things a bit. I searched through all jars, and found one JBoss/Server/all/lib/jbosssx.jar that contained a CallbackHandler class that can work. I had to use reflection to discover the method to use (setSecurityInfo) to pass it my username/password.
However, I'm thinking this can't be right. The classes are not in the client-distribution code folder, so there must be a different way JBoss wanted me to do this. Does anyone know?
George Diam
Greenhorn

Joined: Dec 21, 2002
Posts: 3
I know this is a really old thread but I'd still like to know how you did it.
Alexandre Marcondes
Greenhorn

Joined: Jan 31, 2003
Posts: 3
I would like also know what you did, and as I am dealing with the same JAAS/JbossSX stuff for JBoss 3.0.2 ... we could discuss our findings on the subject ...
Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
Hey, I don't mean this in a bad way, but this was only two links from the top of the list:
http://www.coderanch.com/t/88165/JBoss/JAAS-JBOSS-Tutorial
(And the title was, JAAS - JBoss, a How To)
Darryl A. J. Staflund
Ranch Hand

Joined: Oct 06, 2002
Posts: 303
Hi all,
I found it very difficult to establish a JAAS LDAP-based login context as well but finally managed to do so. I think the current documentation is out of date but that's okay as long as the next batch tidies things up.
I'll post the work I did to establish EJB-based and web-based login contexts below. I use the LDAP login module so I don't think it carries over to database login (for example).

A. How to Establish a JAAS LDAP Login Context (EJB)
=======================================================
Step 1. Define the JNDI Connection
----------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection something like the following:
<application-policy name="AdminRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://url.goes.here:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<!--<module-option name="java.naming.security.protocol"></module-option>-->
<!--<module-option name="java.naming.security.principal"></module-option>-->
<!--<module-option name="java.naming.security.credentials"></module-option>-->
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=Accounts,o=talonline.ca</module-option>
<!--<module-option name="useObjectCredential">false</module-option>-->
<module-option name="rolesCtxDN">ou=Roles,o=business.com</module-option>
<module-option name="roleAttributeID">description</module-option>
<module-option name="uidAttributeID">sn</module-option>
<module-option name="matchOnUserDN">false</module-option>
<!--<module-option name="unauthenticatedIdentity">guest</module-option>-->
<!--<module-option name="password-stacking"></module-option>-->
<!--<module-option name="hashAlgorithm">SHA</module-option>-->
<!--<module-option name="hashEncoding">base64</module-option>-->
<!--<module-option name="hashCharset"></module-option>-->
</login-module>
</authentication>
</application-policy>

Step 2. Specify the Security Realm in the jboss.xml files
-----------------------------------------------------------------
Next, for each EJB jar file that you create, place a jboss.xml in it. Specify in the jboss.xml file the names of all EJBs in the JAR along with the security realm(s) used by the EJB. This tells JBoss at deployment that the above-named EJB's will use the specified security realm(s) to do its authentication and/or authorization. Here is an example config file.
<jboss>
<security-domain>java:/jaas/AdminRealm</security-domain>
<enterprise-beans>
<entity>
<ejb-name>AccountEJB</ejb-name>
<local-jndi-name>AccountHomeLocal</local-jndi-name>
</entity>
</enterprise-beans>
</jboss>

That's all there is to it. Once these are set, then you can modify the EJB code and its other configuration files (ex. ejb-jar.xml) to set up role-based security, perform authentication and authorization, etc.

B. How to Establish a JAAS LDAP Login Context (Web)
=======================================================
Step 1. Specify the JNDI LDAP Connection
----------------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection along the lines of the previous example.
Step 2. Modify the Security Requirements in web.xml
---------------------------------------------------------
Modify the web application's web.xml file so that it contains the security characteristics you want to have applied to the application. See the second attachment for an example of security information you might add to web.xml container if you want to prompt users attempting to access any resource in the application using HTTP GET and POST for basic authentication in the AdminRealm.

<!--*********************************************************************-->
<!---->
<!--Configure the web application's security environment.-->
<!---->
<!--*********************************************************************-->
<security-constraint>
<display-name>Constraints of the Administration Console's Security Environment</display-name>
<!--URI security patterns and the HTTP methods to protect on them.-->
<web-resource-collection>
<web-resource-name>Protected Admininistration Console Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--Anyone with these roles may enter this area.-->
<auth-constraint>
<role-name>Administrator</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>AdminRealm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Administrator</role-name>
</security-role>

Step 3. Specify the name of the Web App's Security Realm in the jboss-web.xml file.
--------------------------------------------------------------------------------------------
Finally, modify or create a jboss-web.xml so that it contains the name(s) of the security realm(s) that the secured web application will work off of. JBoss uses this to associate the appropriate JNDI realm(s) with this application.
<jboss-web>
<security-domain>java:/jaas/AdminRealm</security-domain>
</jboss-web>

Cheers,
Darryl
Abirya Zudash
Greenhorn

Joined: Aug 10, 2003
Posts: 2
Hi there, I have been trying to use Jboss-3.2.1(winnt) , openldap(linux)and the ldaploginmodule is just too confusing for me. Pls send me the web.xml , login-config.xml entries as well as the ldif file on ldap with the valid users and roles there.
i wud very much appreciate this. thanks.
Abirya Zudash
Greenhorn

Joined: Aug 10, 2003
Posts: 2
HI its me again.
Pls ignore my earlier request.The problem i face now is after i have passed the authentication of the users within ldap.
Scenraio1 . User in LDAP with a vaild role in LDAP.
a. User with correct password - Logins successfully.
b. User with incorrect password - cannot login.
these are ok test cases and results
c. Same user logins successfully withot providing a password even though ldap has a password agains the user.
Pls suggest which file i shud debug here and compile again so that the user validation against a null password also is done.
This is some thing i didnt come across on any site talking about ldaploginmodule in jboss. did i misssomethign?
thanks again,
Pauline McNamara
Sheriff

Joined: Jan 19, 2001
Posts: 4012
    
    6
Welcome to JavaRanch "please urgent".
Your display name doesn't quite fit the famous JavaRanch naming policy. Could you please take a minute to change your display name to show 2 names, preferably your real name. (It's all about maintaining our professional image - don't let the one-eyed moose fool you!).
Thanks and hope you'll be visiting the ranch often,
Pauline
Fady Matar
Greenhorn

Joined: Aug 13, 2003
Posts: 12
Make sure that your LDAP server does not allow anonymous otherwise everybody will be logging in to your application.
Your problem is no longer related to Java. it's related now to the ldap setup


Reasonable men adapt themselves to the world.<br />Unreasonable men adapt the world to themselves.<br />That's why all progress depends on unreasonable men.
Aurelien Faillon
Greenhorn

Joined: Jul 07, 2004
Posts: 9
hi,

You have copy a part of your login-config.xml file but could you explain me the meaning of this:
"application-policy name",

this:
"login-module code",

and this:
"module-option name".


Thanx for you helping

a n
B t a
m


....A...............N<br />B.......T.......A....<br />............M........
Aurelien Faillon
Greenhorn

Joined: Jul 07, 2004
Posts: 9
please... help me...

I can't find anywhere the meaning of these syntax, and I have to know it for complete my project.

I pray for your answer to the one-eyed moose...

a n
B t a
m
Aurelien Faillon
Greenhorn

Joined: Jul 07, 2004
Posts: 9
why won't you reply?

you don't like me? oohh I'm a disliked guy... ;(

please... help...
Jaber C. Mourad
Greenhorn

Joined: Aug 05, 2004
Posts: 1
I'm very newbie in ldap.
What is the simplest ldap schema to make ldapLoginModule work well ?
Thanks a lot
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?