Using cookies in JAAS to extend a Single Sign On

I'm currently involved in a project to extend our cookie based SSO to an application using JAAS which I felt to be the best way of achieving the goal. I have written a CallbackHandler which will handle extracting the username and password from the cookies but I'm really not sure as to how to set up the callback from the LoginModule to get the names to check against the db and would very much appreciate some advice on the best way of doing this:
import java.sql.*; import java.util.Map; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.security.auth.spi.LoginModule; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; import javax.sql.*; import java.util.Map; import javax.security.auth.spi.LoginModule; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; public class check implements LoginModule { //initialise variables will be initialised by the initialize() method CallbackHandler handler; Subject subject; Map sharedState; Map options; private boolean loginPassed = false; public check(){} //no-arguments constructor public void initialize(Subject subject, CallbackHandler handler, Map sharedSite, Map options) { this.subject = subject; this.handler = handler; this.sharedState = sharedState; this.options = options; } public boolean login()throws LoginException { String userName =""; String password =""; boolean passed = false; try { //create the Callback handlers Callback[] callbacks = new Callback[1]; //Don't use null arguments in Namecallback callbacks[0] = new NameCallback (userName); callbacks[1] = new PasswordCallback (password, false); handler.handle(callbacks); //Get username and password NameCallback nameCall = (NameCallback) callbacks[0]; userName = nameCall.getName(); PasswordCallback passCall = (PasswordCallback) callbacks[1]; password = new String(passCall.getPassword()); //Look up the data source to get password and name ResultSet rs = null; Class.forName("com.mysql.jdbc.Driver"); String url = "jdbc:mysql://localhost:3306/loginlist"; Connection conn = DriverManager.getConnection(url, "user", "pword"); String sqlname = "SELECT * FROM name WHERE name='" + userName +"'"; String sqlpass = "SELECT * FROM pass WHERE pass='" + password +"'"; Statement stmt = conn.createStatement(); //Check username rs = stmt.executeQuery(sqlname); //If result set has rows, then username was correct and next() returns true passed = rs.next(); rs.close(); if (!passed) { loginPassed = false; throw new FailedLoginException( "Username not authenticated"); } passed = rs.next(); rs.close(); //Check password rs = stmt.executeQuery(sqlpass); if (! passed) { loginPassed = false; throw new FailedLoginException("Password not found"); } else { loginPassed = true; return true; } } catch (Exception e) { throw new LoginException(e.getMessage()); } } public boolean commit() throws LoginException { return loginPassed; } public boolean abort() throws LoginException { boolean bool = loginPassed; loginPassed = false; return bool; } public boolean logout() throws LoginException { loginPassed = false; return true; } }//logout

Iain:
[QB]I have written a CallbackHandler which will handle extracting the username and password from the cookies but I'm really not sure as to how to set up the callback from the LoginModule to get the names to check against the db

Looking at the posted code it seems that you have done what is required to request a callback from the callback handler(assuming that the callback handler is set appropriately). Can you tell as to what is going wrong? Is there any specific problem you are facing?

I am not sure about your database table structure but you seem to get user name and password from two different tables without specifying the user name in the password lookup query! How is this supposed to work? How do you know that the password you have retrieved is indeed for the requested user?

Hi Nitesh,

Apologies for the tardiness of the reply, an upgrade went interestingly well.

I keep getting the error:
java.lang.IllegalArgumentException
at javax.security.auth.callback.NameCallback.<init>(Unknown Source)
at uk.ac.stfc.login.check.login(check.java:45)
which is the namecallback. I think it is to do with the way that the JAAS jar has been placed. I've put it in Tomcat 5.5.23 and have set the web.xml to point to the relevant url. As above, I'm trying to use cookies but the url is presenting a form so I assume that I need to remove this form or is there are way of overriding it (I'm hooking into a third party piece of software called Bedework)?
MTIA for any help and advice
Iain