marc fleury wrote:
mf> FYI, daniel who is full time on the project will work on security.
mf> let's nail it
Count me too. I am going to dedicate several days to adding JAAS layer
over the current security infrastructure.
My plan follows.
Here is a scenario of use of JAAS with jBoss for password-based
authentication that I thought out after a meditation with JAAS
documentation. Of course, it can be used with JDK 1.3 only.
I don't know if this scenario can be used with SSL, but I hope so.
BTW, the latest JAAS license from SUN allows a redistribution.
In order to make clear who provides what, jBoss components have the
prefix "j", while components provided by jBoss user
(application-specific) have the prefix "u".
Sample and simple jBoss user components will be either provided in
jBoss distribution or described in documentation.
The entire login/logout process consists of two stages:
client JAAS login/logout and server JAAS login/logout.
Stage 1: Client
=== login ===
(1) Client application instantiates uLoginContext that is configured
to use jLoginModule, and provides uCallBackHandler.
(2) uLoginContext initializes jLoginModule with uCallBackHandler
(3) jLoginModule obtains user name and password from uCallBackHandler
and stores them in jBoss SecurityAssociation static variables
(user name as principal, password as credential).
If is recommended to encrypt the password (say, by MD5) in
uCallBackHandler.
(4) jLoginModule sends the login notification to jBoss.
=== logout ===
(5) On logout the client application calls uLoginContext.logout()
(6) uLoginContext calls jLoginModule.logout()
(7) jLoginModule sends the logout notification to jBoss
uClient_app uLoginContext jLoginModule uCallBackHandler jBoss
|-----(1)----->| | | |
| |------(2)---->| | |
| | |------(3)---->| |
| | |-------------(4)---------->|
|-----(5)----->| | |
| |------(6)---->| |
| | |-------------(7)---------->|
Stage 2: Server
=== login ===
(1) On login notification from jLoginModule on client or on the first
access to a bean (depending on what happens earlier) jBoss
instantiates jCallbackHandler with user name and password
(2) and instantiates jLoginContext with jCallbackHandler
(3) jLoginContext initializes uLoginModule
(4) uLoginModule calls jCallbackHandler to get user name and password
and performs authentication, e.g. using database.
On success uLoginModule stores the set of user roles to the Subject as
a set of public credentials (Strings)
and the user name for beans as a Principal, so that the user name for
beans may differ from the user name that comes from client
(I assume that uLoginModule for the given bean may be specified in
jboss.xml, otherwise the default uLoginModule specified by
the configuration file auth.conf it taken).
After the successful login jBoss stores jLoginContext to the pool
of successful logins.
=== logout ===
(5) On logout notification from jLoginModule on client jBoss removes
jLoginModule from the pool of successful logins
(6) jBoss calls jLoginContext.logout()
(7) jLoginContext calls uLoginModule.logout(), uLoginModule may use
this call for audit needs.
jLoginModule jBoss jLoginContext uLoginModule jCallbackHandler
|---(1)--->| | | |
| |---(2)-->| | |
| | |------(3)---->| |
| | | |------(4)----->|
|---(5)--->| | |
| |---(6)-->| |
| | |------(7)---->|
Comments are appreciated.
Best regards,
Oleg
