• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Example Code for JAAS with JBoss? Got it to work by "fudging." How do Right?

 
Ranch Hand
Posts: 585
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The JBoss Quickstart has code for how to set up JBoss to use JAAS, and make your beans work with that security-domain. However, their code is actually wrong and it took me a bit to figure it out (I'm more than happy to post how to do this correctly if anyone wants).
What they do not post, is what to do from the client to log in via JAAS. I checked in the JBoss/Client folder and there are no classes I can find in any jar that will allow a client to log in. In fact, the JBoss/Client/auth.conf file names a login config class to use that cannot even be found in ANY jar in the JBoss distribution. (I'm using JBoss 3.0.2) I finally did get it to work, but only by fudging things a bit. I searched through all jars, and found one JBoss/Server/all/lib/jbosssx.jar that contained a CallbackHandler class that can work. I had to use reflection to discover the method to use (setSecurityInfo) to pass it my username/password.
However, I'm thinking this can't be right. The classes are not in the client-distribution code folder, so there must be a different way JBoss wanted me to do this. Does anyone know?
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I know this is a really old thread but I'd still like to know how you did it.
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would like also know what you did, and as I am dealing with the same JAAS/JbossSX stuff for JBoss 3.0.2 ... we could discuss our findings on the subject ...
 
Robert Paris
Ranch Hand
Posts: 585
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey, I don't mean this in a bad way, but this was only two links from the top of the list:
https://coderanch.com/t/88165/JBoss/JAAS-JBOSS-Tutorial
(And the title was, JAAS - JBoss, a How To)
 
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I found it very difficult to establish a JAAS LDAP-based login context as well but finally managed to do so. I think the current documentation is out of date but that's okay as long as the next batch tidies things up.
I'll post the work I did to establish EJB-based and web-based login contexts below. I use the LDAP login module so I don't think it carries over to database login (for example).

A. How to Establish a JAAS LDAP Login Context (EJB)
=======================================================
Step 1. Define the JNDI Connection
----------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection something like the following:
<application-policy name="AdminRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://url.goes.here:389/</module-option>;
<module-option name="java.naming.security.authentication">simple</module-option>
<!--<module-option name="java.naming.security.protocol"></module-option>-->
<!--<module-option name="java.naming.security.principal"></module-option>-->
<!--<module-option name="java.naming.security.credentials"></module-option>-->
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=Accounts,o=talonline.ca</module-option>
<!--<module-option name="useObjectCredential">false</module-option>-->
<module-option name="rolesCtxDN">ou=Roles,o=business.com</module-option>
<module-option name="roleAttributeID">description</module-option>
<module-option name="uidAttributeID">sn</module-option>
<module-option name="matchOnUserDN">false</module-option>
<!--<module-option name="unauthenticatedIdentity">guest</module-option>-->
<!--<module-option name="password-stacking"></module-option>-->
<!--<module-option name="hashAlgorithm">SHA</module-option>-->
<!--<module-option name="hashEncoding">base64</module-option>-->
<!--<module-option name="hashCharset"></module-option>-->
</login-module>
</authentication>
</application-policy>

Step 2. Specify the Security Realm in the jboss.xml files
-----------------------------------------------------------------
Next, for each EJB jar file that you create, place a jboss.xml in it. Specify in the jboss.xml file the names of all EJBs in the JAR along with the security realm(s) used by the EJB. This tells JBoss at deployment that the above-named EJB's will use the specified security realm(s) to do its authentication and/or authorization. Here is an example config file.
<jboss>
<security-domain>java:/jaas/AdminRealm</security-domain>
<enterprise-beans>
<entity>
<ejb-name>AccountEJB</ejb-name>
<local-jndi-name>AccountHomeLocal</local-jndi-name>
</entity>
</enterprise-beans>
</jboss>

That's all there is to it. Once these are set, then you can modify the EJB code and its other configuration files (ex. ejb-jar.xml) to set up role-based security, perform authentication and authorization, etc.

B. How to Establish a JAAS LDAP Login Context (Web)
=======================================================
Step 1. Specify the JNDI LDAP Connection
----------------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection along the lines of the previous example.
Step 2. Modify the Security Requirements in web.xml
---------------------------------------------------------
Modify the web application's web.xml file so that it contains the security characteristics you want to have applied to the application. See the second attachment for an example of security information you might add to web.xml container if you want to prompt users attempting to access any resource in the application using HTTP GET and POST for basic authentication in the AdminRealm.

<!--*********************************************************************-->
<!---->
<!--Configure the web application's security environment.-->
<!---->
<!--*********************************************************************-->
<security-constraint>
<display-name>Constraints of the Administration Console's Security Environment</display-name>
<!--URI security patterns and the HTTP methods to protect on them.-->
<web-resource-collection>
<web-resource-name>Protected Admininistration Console Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--Anyone with these roles may enter this area.-->
<auth-constraint>
<role-name>Administrator</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>AdminRealm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Administrator</role-name>
</security-role>

Step 3. Specify the name of the Web App's Security Realm in the jboss-web.xml file.
--------------------------------------------------------------------------------------------
Finally, modify or create a jboss-web.xml so that it contains the name(s) of the security realm(s) that the secured web application will work off of. JBoss uses this to associate the appropriate JNDI realm(s) with this application.
<jboss-web>
<security-domain>java:/jaas/AdminRealm</security-domain>
</jboss-web>

Cheers,
Darryl
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there, I have been trying to use Jboss-3.2.1(winnt) , openldap(linux)and the ldaploginmodule is just too confusing for me. Pls send me the web.xml , login-config.xml entries as well as the ldif file on ldap with the valid users and roles there.
i wud very much appreciate this. thanks.
 
Abirya Zudash
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HI its me again.
Pls ignore my earlier request.The problem i face now is after i have passed the authentication of the users within ldap.
Scenraio1 . User in LDAP with a vaild role in LDAP.
a. User with correct password - Logins successfully.
b. User with incorrect password - cannot login.
these are ok test cases and results
c. Same user logins successfully withot providing a password even though ldap has a password agains the user.
Pls suggest which file i shud debug here and compile again so that the user validation against a null password also is done.
This is some thing i didnt come across on any site talking about ldaploginmodule in jboss. did i misssomethign?
thanks again,
 
Sheriff
Posts: 4012
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to JavaRanch "please urgent".
Your display name doesn't quite fit the famous JavaRanch naming policy. Could you please take a minute to change your display name to show 2 names, preferably your real name. (It's all about maintaining our professional image - don't let the one-eyed moose fool you!).
Thanks and hope you'll be visiting the ranch often,
Pauline
 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Make sure that your LDAP server does not allow anonymous otherwise everybody will be logging in to your application.
Your problem is no longer related to Java. it's related now to the ldap setup
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,

You have copy a part of your login-config.xml file but could you explain me the meaning of this:
"application-policy name",

this:
"login-module code",

and this:
"module-option name".


Thanx for you helping

a n
B t a
m
 
Aurelien Faillon
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
please... help me...

I can't find anywhere the meaning of these syntax, and I have to know it for complete my project.

I pray for your answer to the one-eyed moose...

a n
B t a
m
 
Aurelien Faillon
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
why won't you reply?

you don't like me? oohh I'm a disliked guy... ;(

please... help...
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm very newbie in ldap.
What is the simplest ldap schema to make ldapLoginModule work well ?
Thanks a lot
 
Can't .... do .... plaid .... So I did this tiny ad instead:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic