• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

New JavaRanch Journal article: Authentication using JAAS

 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The latest issue of the JavaRanch Journal contains an article by Rahul Bhattacharjee on Authentication using JAAS. Go read it while it's fresh, and discuss it in this thread.
 
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thats nice to see. I guess Rahul is back after a long time.

Great work Rahul. Welcome back

Shall read it and get back for any clarifications.
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Is JAAS suitable for working with PKI?

Thank You
 
Raghavan Muthu
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Howdy Dennis M Kavanagh,

Welcome to JavaRanch.

I am not aware of it. Let's hear from other ranchers!
 
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Raghavan Muthu:

Great work Rahul. Welcome back



Thanks Raghavan.Hope you are doing fantastic(as usual).

Originally posted by Dennis M Kavanagh:

Is JAAS suitable for working with PKI?



If by PKI you mean Public Key Infrastructure . Then yes .
The main objective of JAAS is that the application would to totally unaware of the underlying authentication process used.

You can very well have a login module , which uses PKI for authenticating the subject.
 
Raghavan Muthu
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thats great. Thank you Rahul (about PKI).

Well, I have gone through the article. I have few clarifications.

(1) It seems to have to so many classes like NameCallback, PasswordCallback etc., Doesn't it seem to be complicating so much to retrieve the username and password as two strings? May be it may look awkward or silly but in a layman's perspective I ask.

what extra features we get in terms of these wrappers?

(2) The JAAS Configuration file does have some syntax should be followed? Say, the attributes should be mentioned in a single line or they can be wrapped into a several lines in order to achieve good readability?

Thank you!
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Raghavan Muthu:
I have gone through the article. I have few clarifications.



1> Through the callbackhandler the login module communicates with the user.
Different login modules would need different types of information to proceed with the authentication process.
The type of information that the respective login module needs can be found from the callbacks that the module passes on to the callbackhandler�s handle method.

There are couple of ready to use callback�s available under the package javax.security.auth.callback . If your requirement does not get fulfilled by any of the available callbacks ,then you might want to create one of your own by implementing Callback interface.

In my example I have used the NameCallback and PasswordCallback as it was the need of my login module , some other loginmodule might need some other information.So that login module would send a different set of callbacks to the callbackhandler.

2> There is a standard which should be followed while editing the jaas configuration file.

It has been documented in detail in the javadoc for javax.security.auth.login.Configuration

The name of the login module should be fully qualified classname of the login module and then a space and then the type of the login module (REQUIRED , OPTIONAL etc).You can specify options to that specific login module (again all those options should be in the format of key=�value� and separated by a space).
The configuration can span across several lines as well.
 
Raghavan Muthu
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a good explanation. Thank you Rahul
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I skimmed the article, it looks like it will be something I will be incorporating into my study path and using in the final stages of the project, but we need PKI to be implemented somewhere as an understandable simplification - this seems to be the place to do it.

PKI requires advanced skills to grasp. To have that degree of reliability avaliable seems to me to be something authentication should implement.
 
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

rahul: If your requirement does not get fulfilled by any of the available callbacks ,then you might want to create one of your own by implementing Callback interface.


Just to mention, this will require a change in the CallbackHandler too! So, if you are writing a login module to be plugged into an already exisiting stack of login modules then you must either adhere to the callbacks that are supported or request a change in the callback handler to support your callback.

raghavan:The JAAS Configuration file does have some syntax should be followed?


Yeah thats true. However, one can specify a different format for the configuration file also. For this to work, one must have a reader for the configuration and at the system startup, it can read the file to create a javax.security.auth.login.Configuration object and set it as the installed configuration object using the static method javax.security.auth.login.Configuration.setConfiguration(). Once set, this cnfiguration will be used for any subsequent login requests.
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey Rahul,

I have a question regarding the login module control flags.
Why do you think that even after a required module failure, the authentication continues to the next login modules(if any).
The argument is that the overall result of the authentication will be fail as a required module is required to succeed. Since, the result is a failure, abort() will be called for all the login modules and ideally the authentication result must be cleaned by different modules from the subject.
So, at the end of the authentication none of the results of the modules executed after the failure of required module will be available. Then, what is the need of executing them at all!

P.S.: I agree that the rules of the control flags are the same as you have mentioned.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Nitesh Kant : Just to mention, this will require a change in the CallbackHandler too!



Very true , the CallbackHandler also has be become intelligent enough
to know what to do when it encounters the new type of Callback .

it can read the file to create a javax.security.auth.login.Configuration object and set it as the installed configuration object using the static method javax.security.auth.login.Configuration.setConfiguration().



You might also want to specify the configuration provider using the system property login.configuration.provider and let the Configuration take care of it . I could not find in terms of any formal documentation for writing custom jaas configuration , but the source of class com.sun.security.auth.login.ConfigFile.java (default config provider) seems to me like a good starting point.


Why do you think that even after a required module failure, the authentication continues to the next login modules(if any).



I do not have a very satisfying answer for this question .The only thing that I can think of is that , when you want the login process to continue ( just to have a record of as how the other login modules have performed with this particular user ) even if you know that the overall authentication is going to fail , you can use required.

Lets see what other ranchers have to say about it .
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rahul: I could not find in terms of any formal documentation for writing custom jaas configuration , but the source of class com.sun.security.auth.login.ConfigFile.java (default config provider) seems to me like a good starting point.



Well, so to say, it can be any file. An xml file, xls file, a database table!
The logic of reading such a data is totally specific to the application. However, the end result of the configuration digestion must be an instance of javax.security.auth.login.Configuration.
Since jdk6, there is an SPI class javax.security.auth.login.ConfigurationSpi for the Configuration.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nitesh Kant:
Well, so to say, it can be any file. An xml file, xls file, a database table!



You got me wrong.My bad for the misleading statement. Off course it can be of any format(I will not go with an XLS for storing such information ).
I was talking about the parsing logic (the provider implementation) , not the format of file.

What I mentioned was the sun's default provider com.sun.security.auth.login.ConfigFile.java and it knows how to parse values from the default jaas config format.

I personally would not like to have the jaas config parsing logic in the application.It should not be anyway related to the application. But what you have mentioned would certainly work(as the api exists to plug in your configuration).

Another scenario where this might not work (I might be wrong as I have not wroked it out) , when you have two web applications deployed in Tomcat and both of them are plugging there application specific JAAS Configurations.

Bang ! , there might be a clash.

When you do Configuration.setConfiguration(config) , your config object would be set in an private variable within Configuration and when the other web application does this again , the first config object would be replaced by the new one.The reason for this should be that , there is only one loaded Configuration class (loaded by the Bootstrap classloader).
[ April 11, 2008: Message edited by: Rahul Bhattacharjee ]
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

rahul: You got me wrong.My bad for the misleading statement.


Its my turn to say that now

Actually, I did not refer to a J2EE app as such when I said the logic is present in the application. What I meant is that there can be a library that provides that kind of extends JAAS to provide some more details in the configuration.

This library will be endorsed by a system and all applications running on the system will be adhering to the same. It would not work on a Tomcat instance where in there may be 2 entirely different and mutual exclusive applications run but will definetly work where the application deployment process is streamlined and all applications follow the same principals.

Having said the above, I dont think I need to tell that even in the same JVM we can actually get two separate instances of the configuration installed! (Custom classloaders et al.!)


rahul: I will not go with an XLS for storing such information.


Me neither but that is just one of the possibilities!
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nitesh Kant:
Hey Rahul,

I have a question regarding the login module control flags.
Why do you think that even after a required module failure, the authentication continues to the next login modules(if any).
The argument is that the overall result of the authentication will be fail as a required module is required to succeed. Since, the result is a failure, abort() will be called for all the login modules and ideally the authentication result must be cleaned by different modules from the subject.
So, at the end of the authentication none of the results of the modules executed after the failure of required module will be available. Then, what is the need of executing them at all!

P.S.: I agree that the rules of the control flags are the same as you have mentioned.



Any opinions on this anybody?
 
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey Rahul ::

What happeds if I add some more princlapals to the subject after the completion of the login process.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Amit Kumargupta:

What happeds if I add some more princlapals to the subject after the completion of the login process.



You might want to call setReadOnly() on the Subject , to make that unmodifiable .
 
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello friends,
I have an application connecting to a jboss server and i am using JAAS.
This application has a couple of modules and each of them should have different authentication (usernames) to access different services in the same jboss server.

The problem is that when module A authenticates with server it is ok, then later in the thread lifecycle, module B authenticates with server, that is ok too. But even later when module A calls jboss server for second time, it is using the authentication used by module B.

I don't want to do authentication for every call, so is there a way for me to know if a thread has a successfull authentication? And is it possible to change it? like having a cache of login contexts or something...

Thank you for your patience and sorry for the bad english
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Joel,
Please do not hijack a thread for a different question(DontHijack)
This thread was to discuss the new journal article.
Request you to post this question as a new thread in the Security forum.
 
Amit Kumargupta
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rahul Bhattacharjee:
you might want to call setReadOnly() on the Subject , to make that unmodifiable .



If I have somemore login modules in that stack and after the subject is made readonly whether will it be possible to again set that to read write mode.

If there is someother login module trying to set some principal , then it would not work as the subject has been made readonly before.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Amit Kumargupta:


If I have somemore login modules in that stack and after the subject is made readonly whether will it be possible to again set that to read write mode.



Once the subject is made readonly , the same subject can never again become writable.

You might want to have a separate login module for making the subject readonly (make the subject readonly in the commit method of that login module) ,if the overall login process passes and put that entry in the end of the login module stack.
 
Joel de Matos
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nitesh Kant:
Hi Joel,
Please do not hijack a thread for a different question(DontHijack)
This thread was to discuss the new journal article.
Request you to post this question as a new thread in the Security forum.



Will do, very sorry for the inconvenience!
Anyways, thanks to Rahul for the article.
cheers
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rahul:
You might want to have a separate login module for making the subject readonly (make the subject readonly in the commit method of that login module) ,if the overall login process passes and put that entry in the end of the login module stack.



mmm, how about making the subject as read only after the login call is over.
I think amit was referring to a situation when someone tries to modify the subject after the authentication completes.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Nitesh Kant:


mmm, how about making the subject as read only after the login call is over.



And how would you know that the call is over ?

The very purpose of having a configuration file is that at installation time of the application the installer can modify (add , remove or change the respective position of the login module in the stack) the configuration file for that site.

What happens if he puts any other login module after the login module that makes the subject as read only ?
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rahul: And how would you know that the call is over ?


When LoginContext.login() returns. I assume that the original question was asked from the perspective of someone who is executing the login modules and not from the one writing a login module.

Rahul:
The very purpose of having a configuration file is that at installation time of the application the installer can modify (add , remove or change the respective position of the login module in the stack) the configuration file for that site.
What happens if he puts any other login module after the login module that makes the subject as read only ?


Absolutely, I did not suggest it to do via a login module (may be the wordings were not appropriate)
In fact, this is the reason why i felt that the following suggestion was not appropriate:

You might want to have a separate login module for making the subject readonly (make the subject readonly in the commit method of that login module) ,if the overall login process passes and put that entry in the end of the login module stack.



[ April 15, 2008: Message edited by: Nitesh Kant ]
[ April 15, 2008: Message edited by: Nitesh Kant ]
 
Amit Kumargupta
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I question was : what would happen if someone puts a login module after the subject is made read only (by editing the configuration as the login module are very modular . May be written by a login module developer and various login modules may be plugged during the install time ) and I think it has been answered by Rahul.
 
Stop it! You're embarassing me! And you are embarrassing this tiny ad!
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic