Hi,
I would suggest to write it yourself. As starting point just download the source of
4.0.0DR4 and take CertRolesLoginModule and AbstractCertLoginModule. Try to backport
them to run in 3.2.3.
The info is from the sources. I had to write a similar LoginModule for 3.2.1. My
source is not that nice but it works for me:
| package test;
|
| import org.jboss.security.auth.spi.AbstractServerLoginModule;
| import javax.security.auth.Subject;
| import javax.security.auth.callback.*;
| import javax.security.auth.login.*;
| import java.util.Map;
| import java.security.acl.Group;
| import java.security.Principal;
| import org.jboss.security.SimplePrincipal;
| import org.jboss.security.SimpleGroup;
| import java.security.cert.*;
| import java.security.cert.*;
| import org.apache.log4j.Logger;
|
| /**
| * ClientCertificateLoginModule<br>
| * Login Module which checks the supplied certificate<br>
| * <br>
| * Usage within login-config.xml:<br>
| * <pre>
| * <application-policy name = "cc">
| * <authentication>
| * <login-module code = "test.ClientCertificateLoginModule"
| * flag = "required">
| * <module-option name = "unauthenticatedIdentity">test</module-option>
| * </login-module>
| * </authentication>
| * </application-policy>
| * </pre>
| * <pre>
| * </pre>
| * <p>Copyright (c) 2002 SoftSolution EDV GmbH</p>
| */
| public class ClientCertificateLoginModule extends AbstractServerLoginModule
| {
| private Principal identity;
|
| public void initialize(Subject subject, CallbackHandler callbackHandler,
| Map sharedState, Map options)
| {
| super.initialize(subject,callbackHandler,sharedState,options);
|
| if( log.isDebugEnabled() )
| {
| log.debug( "initialize" );
| log.debug( "subject=" + subject );
| log.debug( "callbackHandler=" + callbackHandler );
| log.debug( "sharedState=" + sharedState );
| log.debug( "options=" + options );
| }
|
| javax.security.auth.callback.NameCallback nameCb =
| new javax.security.auth.callback.NameCallback("Name");
| org.jboss.security.auth.callback.ObjectCallback objCb =
| new org.jboss.security.auth.callback.ObjectCallback("Certificate Chain");
|
| javax.security.auth.callback.Callback[] cbs =
| new javax.security.auth.callback.Callback[2];
| cbs[0] = nameCb;
| cbs[1] = objCb;
|
| try
| {
| // Get the name and the certificates from the callback handler
| callbackHandler.handle(cbs);
| this.sharedState.put("javax.security.auth.login.name",nameCb.getName());
|
this.sharedState.put("javax.security.auth.login.password",objCb.getCredential());
| }
| catch( Exception e )
| {
| log.error("Exception in initializing LoginModule",e);
| }
| }
|
|
| public boolean login() throws LoginException
| {
| // Check if the certificate is valid
| java.security.cert.X509Certificate[] certs =
|
(java.security.cert.X509Certificate[])sharedState.get("javax.security.auth.login.password");
|
| if( certs != null )
| {
| try
| {
| certs[0].checkValidity();
|
| // Generate a Principal
| String tmpString = String.valueOf(certs[0].getSubjectDN());
| int cnIndex = tmpString.indexOf("CN=");
| int cnIndexEnd = tmpString.indexOf(",",cnIndex);
| if( cnIndexEnd > -1 )
| {
| identity = new
SimplePrincipal(tmpString.substring(cnIndex+3,cnIndexEnd));
| }
| else
| {
| identity = new SimplePrincipal(tmpString.substring(cnIndex+3));
| }
|
| loginOk = true;
| }
| catch (CertificateExpiredException ex)
| {
| log.info("Certificate expired " + certs[0].getSubjectDN(),ex);
| loginOk = false;
| }
| catch (CertificateNotYetValidException ex)
| {
| log.info("Certificate not yet valid " + certs[0].getSubjectDN(),ex);
| loginOk = false;
| }
| }
| else
| {
| identity = new
SimplePrincipal(String.valueOf(options.get("unauthenticatedIdentity")));
| loginOk = true;
| }
|
| if( log.isDebugEnabled() )
| {
| log.debug( "login ok=" + loginOk + " principal=" + identity);
| }
|
| return loginOk;
| }
|
| public Group[] getRoleSets()
| {
| Group[] groups = null;
|
| // set the groups of a user
| groups = new Group[1];
| SimpleGroup rolesGroup = new SimpleGroup("Roles");
| rolesGroup.addMember(new SimplePrincipal("User"));
| groups[0] = rolesGroup;
|
| return groups;
| }
|
| public Principal getIdentity()
| {
| return identity;
| }
| }
|
Put it into your ejb.jar and add the lines to login-config.xml. That's all.
Hope my example helps. Just add the logic to get the correct roles. My example only
checks if the certificate is valid. Play around and have fun with it.
Didi
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3836213#3836213
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3836213
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
