This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext" Watch "JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext" New topic
Author

JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext

shilpee khare
Greenhorn

Joined: Nov 16, 2006
Posts: 2
Hi,
I have done configurations in JBOSS (version :jboss-4.0.3SP1) to use LdapLoginModule authentication mentioned below. I have set up test ldap server using OpenLDAP and added entries as mentioned below.Problem is even if i dont start the LDAP server it still authenticates for correct username & password but if i give wrong password it fives LoginException. So i am not able to find out against what it is trying to match username/password if my LDAP server is not running.

1. "sample.ldif" file to add entries in LDAP DB (data is stored in dbb file in OpenLDAP server)
dn: dc=sample,dc=com

objectClass: top

objectClass: dcObject

objectClass: organization

objectClass: domainRelatedObject

objectClass: dcObject

associatedDomain: sample.com

o: sample

dc: sample

description: Sample International - Specialist Providers of Widgets

postalAddress: empty

telephoneNumber: +44 00000000

dn: cn=Directory Manager,dc=sample,dc=com

objectClass: top

objectClass: organizationalRole

objectClass: OpenLDAPdisplayableObject

objectClass: labeledURIObject

cn: Directory Manager

cn: Manager

cn: Directory Administrator

cn: Administrator

displayName: Directory Manager

roleOccupant: uid=lrussell,ou=People,dc=sample,dc=com

labeledURI: mailto irectorymanager@sample.com Directory Manager

seeAlso: dc=sample,dc=com

description: Manages the OpenLDAP directories

dn: ou=People,dc=sample,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Groups,dc=sample,dc=com

ou: Groups

objectClass: top

objectClass: organizationalUnit

dn: ou=Roles,dc=sample,dc=com

ou: Roles

objectClass: top

objectClass: organizationalUnit

dn: uid=lrussell,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Russell

cn: Luc

uid: lrussell

userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y=

mail: lrussell@sample.com

dn: uid=jbloggs,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Bloggs

cn: Joe

uid: jbloggs

userpassword: no3XJAZeeb9AKbGNY65/masWpZE=

mail: jbloggs@sample.com

dn: uid=fsmith,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Smith

cn: Fred

uid: fsmith

userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE=

mail: fsmith@sample.com

dn: cn=Users,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Users

uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com

uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com

dn: cn=Member_admins,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Member_admins

uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com

dn: cn=Everyone,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Everyone

uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com

uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com

uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com

dn: cn=Authenticated_users,ou=Roles,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Authenticated_users

uniqueMember: cn=Everyone,ou=Groups,dc=sample,dc=com

dn: cn=Member_admin,ou=Roles,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Member_admin

uniqueMember: cn=Member_admins,ou=Groups,dc=sample,dc=com

2. "login-config.xml"

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">

<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>

<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>

-->

<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name="client-login">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</application-policy>

<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>
</authentication>
</application-policy>

<!-- Security domain for JBossMQ when using file-state-service.xml
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</authentication>
</application-policy>
-->

<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name = "JmsXARealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>

<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
</login-module>
</authentication>
</application-policy>

<application-policy name="sample_web_client_security">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="java.naming.security.credentials">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,dc=sample,dc=com</module-option>
<module-option name="uidAttributeID">uniqueMember</module-option>
<module-option name="rolesCtxDN">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="matchOnUserDN">false</module-option>
</login-module>
</authentication>
</application-policy>

<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>

</policy>

3. Code used to perform supply authentication info.

public synchronized UserVO authenticate(
final String userId, final String password)
throws Exception {

UserVO userVO = null;
try {
MessageDigest d = java.security.MessageDigest.getInstance("SHA-1");
d.reset();
d.update(password.getBytes());
BASE64Encoder encoder = new BASE64Encoder();
String digestedPwdString = new String(encoder.encode(d.digest()));
System.out.println("encoder -------- >> "+digestedPwdString);
UsernamePasswordHandler handler =
new UsernamePasswordHandler(userId.toLowerCase(),
digestedPwdString.toCharArray());
LoginContext loginContext =
new LoginContext("sample_web_client_security", handler);
loginContext.login();
/*
* Login successful: - Get the subject - Get the principals list -
* Add the current principal
*/
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
SimplePrincipal user = new SimplePrincipal(userId.toLowerCase());
principals.add(user);

/*
* Fetch the user from the database.
*/
userVO = userDelegate.getUserByNetworkId(userId);


}
catch (final LoginException ex) {
this.log.error(ex.getMessage(), ex);
System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;

} catch (final Exception ex) {

System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;
}
return userVO;
}

Please let me know if i have missed out something in configurations ?? Also, the code used to authentication in step 3 is correct or not ?Is it required to add loginmodule entry in auth.conf file under JBOSS folder ?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10240
    
168

Have you mentioned the security domain element in your jboss-web.xml?


[My Blog] [JavaRanch Journal]
shilpee khare
Greenhorn

Joined: Nov 16, 2006
Posts: 2
HI, Thanks for replying.
Yes i added in it in jboss-web.xml. Forgot to mention.

I am facing a new problem now. I am not able to access my login.jsp page. It gives COnfiguration error: can't authenticate against null principal.

In the code i posted, after successful login , the way i am adding user to principal , i m not sure its correct or not.

Please let me know how to add the principal.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext