• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

JBOSS LdapLoginModule authentication. Help needed for code to use LoginContext

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have done configurations in JBOSS (version :jboss-4.0.3SP1) to use LdapLoginModule authentication mentioned below. I have set up test ldap server using OpenLDAP and added entries as mentioned below.Problem is even if i dont start the LDAP server it still authenticates for correct username & password but if i give wrong password it fives LoginException. So i am not able to find out against what it is trying to match username/password if my LDAP server is not running.

1. "sample.ldif" file to add entries in LDAP DB (data is stored in dbb file in OpenLDAP server)
dn: dc=sample,dc=com

objectClass: top

objectClass: dcObject

objectClass: organization

objectClass: domainRelatedObject

objectClass: dcObject

associatedDomain: sample.com

o: sample

dc: sample

description: Sample International - Specialist Providers of Widgets

postalAddress: empty

telephoneNumber: +44 00000000

dn: cn=Directory Manager,dc=sample,dc=com

objectClass: top

objectClass: organizationalRole

objectClass: OpenLDAPdisplayableObject

objectClass: labeledURIObject

cn: Directory Manager

cn: Manager

cn: Directory Administrator

cn: Administrator

displayName: Directory Manager

roleOccupant: uid=lrussell,ou=People,dc=sample,dc=com

labeledURI: mailto irectorymanager@sample.com Directory Manager

seeAlso: dc=sample,dc=com

description: Manages the OpenLDAP directories

dn: ou=People,dc=sample,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Groups,dc=sample,dc=com

ou: Groups

objectClass: top

objectClass: organizationalUnit

dn: ou=Roles,dc=sample,dc=com

ou: Roles

objectClass: top

objectClass: organizationalUnit

dn: uid=lrussell,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Russell

cn: Luc

uid: lrussell

userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y=

mail: lrussell@sample.com

dn: uid=jbloggs,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Bloggs

cn: Joe

uid: jbloggs

userpassword: no3XJAZeeb9AKbGNY65/masWpZE=

mail: jbloggs@sample.com

dn: uid=fsmith,ou=People,dc=sample,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: Smith

cn: Fred

uid: fsmith

userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE=

mail: fsmith@sample.com

dn: cn=Users,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Users

uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com

uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com

dn: cn=Member_admins,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Member_admins

uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com

dn: cn=Everyone,ou=Groups,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Everyone

uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com

uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com

uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com

dn: cn=Authenticated_users,ou=Roles,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Authenticated_users

uniqueMember: cn=Everyone,ou=Groups,dc=sample,dc=com

dn: cn=Member_admin,ou=Roles,dc=sample,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Member_admin

uniqueMember: cn=Member_admins,ou=Groups,dc=sample,dc=com

2. "login-config.xml"

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">

<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>

<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>

-->

<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name="client-login">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</application-policy>

<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>
</authentication>
</application-policy>

<!-- Security domain for JBossMQ when using file-state-service.xml
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</authentication>
</application-policy>
-->

<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name = "JmsXARealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>

<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
</login-module>
</authentication>
</application-policy>

<application-policy name="sample_web_client_security">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>;
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="java.naming.security.credentials">secret</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,dc=sample,dc=com</module-option>
<module-option name="uidAttributeID">uniqueMember</module-option>
<module-option name="rolesCtxDN">cn=Directory Manager,dc=sample,dc=com</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="matchOnUserDN">false</module-option>
</login-module>
</authentication>
</application-policy>

<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>

</policy>

3. Code used to perform supply authentication info.

public synchronized UserVO authenticate(
final String userId, final String password)
throws Exception {

UserVO userVO = null;
try {
MessageDigest d = java.security.MessageDigest.getInstance("SHA-1");
d.reset();
d.update(password.getBytes());
BASE64Encoder encoder = new BASE64Encoder();
String digestedPwdString = new String(encoder.encode(d.digest()));
System.out.println("encoder -------- >> "+digestedPwdString);
UsernamePasswordHandler handler =
new UsernamePasswordHandler(userId.toLowerCase(),
digestedPwdString.toCharArray());
LoginContext loginContext =
new LoginContext("sample_web_client_security", handler);
loginContext.login();
/*
* Login successful: - Get the subject - Get the principals list -
* Add the current principal
*/
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
SimplePrincipal user = new SimplePrincipal(userId.toLowerCase());
principals.add(user);

/*
* Fetch the user from the database.
*/
userVO = userDelegate.getUserByNetworkId(userId);


}
catch (final LoginException ex) {
this.log.error(ex.getMessage(), ex);
System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;

} catch (final Exception ex) {

System.out.println(ex.getMessage());
ex.printStackTrace();
throw ex;
}
return userVO;
}

Please let me know if i have missed out something in configurations ?? Also, the code used to authentication in step 3 is correct or not ?Is it required to add loginmodule entry in auth.conf file under JBOSS folder ?
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have you mentioned the security domain element in your jboss-web.xml?
 
shilpee khare
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HI, Thanks for replying.
Yes i added in it in jboss-web.xml. Forgot to mention.

I am facing a new problem now. I am not able to access my login.jsp page. It gives COnfiguration error: can't authenticate against null principal.

In the code i posted, after successful login , the way i am adding user to principal , i m not sure its correct or not.

Please let me know how to add the principal.
 
Blueberry pie is best when it is firm and you can hold in your hand. Smell it. And smell this tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic