Hi,
I have done configurations in
JBOSS (version :jboss-4.0.3SP1) to use LdapLoginModule authentication mentioned below. I have set up
test ldap server using OpenLDAP and added entries as mentioned below.Problem is even if i dont start the LDAP server it still authenticates for correct username & password but if i give wrong password it fives LoginException. So i am not able to find out against what it is trying to match username/password if my LDAP server is not running.
1. "sample.ldif" file to add entries in LDAP DB (data is stored in dbb file in OpenLDAP server)
dn: dc=sample,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: domainRelatedObject
objectClass: dcObject
associatedDomain: sample.com
o: sample
dc: sample
description: Sample International - Specialist Providers of Widgets
postalAddress: empty
telephoneNumber: +44 00000000
dn: cn=Directory Manager,dc=sample,dc=com
objectClass: top
objectClass: organizationalRole
objectClass: OpenLDAPdisplayableObject
objectClass: labeledURIObject
cn: Directory Manager
cn: Manager
cn: Directory Administrator
cn: Administrator
displayName: Directory Manager
roleOccupant: uid=lrussell,ou=People,dc=sample,dc=com
labeledURI: mailto
irectorymanager@sample.com Directory Manager
seeAlso: dc=sample,dc=com
description: Manages the OpenLDAP directories
dn: ou=People,dc=sample,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Groups,dc=sample,dc=com
ou: Groups
objectClass: top
objectClass: organizationalUnit
dn: ou=Roles,dc=sample,dc=com
ou: Roles
objectClass: top
objectClass: organizationalUnit
dn: uid=lrussell,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Russell
cn: Luc
uid: lrussell
userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y=
mail:
lrussell@sample.com dn: uid=jbloggs,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Bloggs
cn: Joe
uid: jbloggs
userpassword: no3XJAZeeb9AKbGNY65/masWpZE=
mail:
jbloggs@sample.com dn: uid=fsmith,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Smith
cn: Fred
uid: fsmith
userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE=
mail:
fsmith@sample.com dn: cn=Users,ou=Groups,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Users
uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com
uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com
dn: cn=Member_admins,ou=Groups,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Member_admins
uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com
dn: cn=Everyone,ou=Groups,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Everyone
uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com
uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com
uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com
dn: cn=Authenticated_users,ou=Roles,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Authenticated_users
uniqueMember: cn=Everyone,ou=Groups,dc=sample,dc=com
dn: cn=Member_admin,ou=Roles,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Member_admin
uniqueMember: cn=Member_admins,ou=Groups,dc=sample,dc=com
2. "login-config.xml"
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.
The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>
<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>
-->
<policy>
<!-- Used by clients within the application server VM such as
mbeans and
servlets that access EJBs.
-->
<application-policy name="client-login">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</application-policy>
<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">
java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security domain for JBossMQ when using file-state-service.xml
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</authentication>
</application-policy>
-->
<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name = "JmsXARealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
</login-module>
</authentication>
</application-policy>
<application-policy name="sample_web_client_security">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">
ldap://localhost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="java.naming.security.credentials">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,dc=sample,dc=com</module-option>
<module-option name="uidAttributeID">uniqueMember</module-option>
<module-option name="rolesCtxDN">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="matchOnUserDN">false</module-option>
</login-module>
</authentication>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>
</policy>
3. Code used to perform supply authentication info.
public synchronized UserVO authenticate(
final
String userId, final String password)
throws Exception {
UserVO userVO = null;
try {
MessageDigest d = java.security.MessageDigest.getInstance("SHA-1");
d.reset();
d.update(password.getBytes());
BASE64Encoder encoder = new BASE64Encoder();
String digestedPwdString = new String(encoder.encode(d.digest()));
System.out.println("encoder -------- >> "+digestedPwdString);
UsernamePasswordHandler handler =
new UsernamePasswordHandler(userId.toLowerCase(),
digestedPwdString.toCharArray());
LoginContext loginContext =
new LoginContext("sample_web_client_security", handler);
loginContext.login();
/*
* Login successful: - Get the subject - Get the principals list -
* Add the current principal
*/
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
SimplePrincipal user = new SimplePrincipal(userId.toLowerCase());
principals.add(user);
/*
* Fetch the user from the database.
*/
userVO = userDelegate.getUserByNetworkId(userId);
}
catch (final LoginException ex) {
this.log.error(ex.getMessage(), ex);
System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;
} catch (final Exception ex) {
System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;
}
return userVO;
}
Please let me know if i have missed out something in configurations ?? Also, the code used to authentication in step 3 is correct or not ?Is it required to add loginmodule entry in auth.conf file under JBOSS folder ?