This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
The JBoss Quickstart has code for how to set up JBoss to use JAAS, and make your beans work with that security-domain. However, their code is actually wrong and it took me a bit to figure it out (I'm more than happy to post how to do this correctly if anyone wants). What they do not post, is what to do from the client to log in via JAAS. I checked in the JBoss/Client folder and there are no classes I can find in any jar that will allow a client to log in. In fact, the JBoss/Client/auth.conf file names a login config class to use that cannot even be found in ANY jar in the JBoss distribution. (I'm using JBoss 3.0.2) I finally did get it to work, but only by fudging things a bit. I searched through all jars, and found one JBoss/Server/all/lib/jbosssx.jar that contained a CallbackHandler class that can work. I had to use reflection to discover the method to use (setSecurityInfo) to pass it my username/password. However, I'm thinking this can't be right. The classes are not in the client-distribution code folder, so there must be a different way JBoss wanted me to do this. Does anyone know?
Hi all, I found it very difficult to establish a JAAS LDAP-based login context as well but finally managed to do so. I think the current documentation is out of date but that's okay as long as the next batch tidies things up. I'll post the work I did to establish EJB-based and web-based login contexts below. I use the LDAP login module so I don't think it carries over to database login (for example).
A. How to Establish a JAAS LDAP Login Context (EJB) ======================================================= Step 1. Define the JNDI Connection ---------------------------------- In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection something like the following: <application-policy name="AdminRealm"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://url.goes.here:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <!--<module-option name="java.naming.security.protocol"></module-option>--> <!--<module-option name="java.naming.security.principal"></module-option>--> <!--<module-option name="java.naming.security.credentials"></module-option>--> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=Accounts,o=talonline.ca</module-option> <!--<module-option name="useObjectCredential">false</module-option>--> <module-option name="rolesCtxDN">ou=Roles,o=business.com</module-option> <module-option name="roleAttributeID">description</module-option> <module-option name="uidAttributeID">sn</module-option> <module-option name="matchOnUserDN">false</module-option> <!--<module-option name="unauthenticatedIdentity">guest</module-option>--> <!--<module-option name="password-stacking"></module-option>--> <!--<module-option name="hashAlgorithm">SHA</module-option>--> <!--<module-option name="hashEncoding">base64</module-option>--> <!--<module-option name="hashCharset"></module-option>--> </login-module> </authentication> </application-policy>
Step 2. Specify the Security Realm in the jboss.xml files ----------------------------------------------------------------- Next, for each EJB jar file that you create, place a jboss.xml in it. Specify in the jboss.xml file the names of all EJBs in the JAR along with the security realm(s) used by the EJB. This tells JBoss at deployment that the above-named EJB's will use the specified security realm(s) to do its authentication and/or authorization. Here is an example config file. <jboss> <security-domain>java:/jaas/AdminRealm</security-domain> <enterprise-beans> <entity> <ejb-name>AccountEJB</ejb-name> <local-jndi-name>AccountHomeLocal</local-jndi-name> </entity> </enterprise-beans> </jboss>
That's all there is to it. Once these are set, then you can modify the EJB code and its other configuration files (ex. ejb-jar.xml) to set up role-based security, perform authentication and authorization, etc.
B. How to Establish a JAAS LDAP Login Context (Web) ======================================================= Step 1. Specify the JNDI LDAP Connection ---------------------------------------- In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection along the lines of the previous example. Step 2. Modify the Security Requirements in web.xml --------------------------------------------------------- Modify the web application's web.xml file so that it contains the security characteristics you want to have applied to the application. See the second attachment for an example of security information you might add to web.xml container if you want to prompt users attempting to access any resource in the application using HTTP GET and POST for basic authentication in the AdminRealm.
<!--*********************************************************************--> <!----> <!--Configure the web application's security environment.--> <!----> <!--*********************************************************************--> <security-constraint> <display-name>Constraints of the Administration Console's Security Environment</display-name> <!--URI security patterns and the HTTP methods to protect on them.--> <web-resource-collection> <web-resource-name>Protected Admininistration Console Resources</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <!--Anyone with these roles may enter this area.--> <auth-constraint> <role-name>Administrator</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>BASIC</auth-method> <realm-name>AdminRealm</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>Administrator</role-name> </security-role>
Step 3. Specify the name of the Web App's Security Realm in the jboss-web.xml file. -------------------------------------------------------------------------------------------- Finally, modify or create a jboss-web.xml so that it contains the name(s) of the security realm(s) that the secured web application will work off of. JBoss uses this to associate the appropriate JNDI realm(s) with this application. <jboss-web> <security-domain>java:/jaas/AdminRealm</security-domain> </jboss-web>
Hi there, I have been trying to use Jboss-3.2.1(winnt) , openldap(linux)and the ldaploginmodule is just too confusing for me. Pls send me the web.xml , login-config.xml entries as well as the ldif file on ldap with the valid users and roles there. i wud very much appreciate this. thanks.
Joined: Aug 10, 2003
HI its me again. Pls ignore my earlier request.The problem i face now is after i have passed the authentication of the users within ldap. Scenraio1 . User in LDAP with a vaild role in LDAP. a. User with correct password - Logins successfully. b. User with incorrect password - cannot login. these are ok test cases and results c. Same user logins successfully withot providing a password even though ldap has a password agains the user. Pls suggest which file i shud debug here and compile again so that the user validation against a null password also is done. This is some thing i didnt come across on any site talking about ldaploginmodule in jboss. did i misssomethign? thanks again,
Welcome to JavaRanch "please urgent". Your display name doesn't quite fit the famous JavaRanch naming policy. Could you please take a minute to change your display name to show 2 names, preferably your real name. (It's all about maintaining our professional image - don't let the one-eyed moose fool you!). Thanks and hope you'll be visiting the ranch often, Pauline