anonymous wrote : Here's some background, in the hopes that it'll help the discussion. The U.S. Army has a centralized user database called AKO, published as an LDAP directory. We allow anyone with an AKO account to access our application. But we can't rely on this alone -- we will have many non-Army users without AKO accounts, and since we of course do not have direct control over the AKO database, we have to also maintain our own database of locally-added users. | | When a user visits the login form, then, after typing in a username and password they have to specify whether they're trying to log in with a "local" account (in our local database) or an AKO account. This way we know where to look for the user's password: either in the database, or over LDAP. | | In another twist, our application is geared to allow the creation of "one-time passwords." When using a one-time password, a client can provide a key and the password rather than a username and the "real" password. | | So clearly I need to pass more information to the server-side login modules. It's my (perhaps incorrect?) understanding that ClientLoginModule (and, in turn, SecurityAssociation) only accept two strings: username and password. They take this information and store it internally so that any future RMI calls are loaded. Then JBoss' RMI code on the server side extracts the username and password, creates a UseramePasswordHandler and starts the JAAS chain. | | So, on the client side, how would I tell the JBoss client library "hey, I need to pass not only this username and this password, but also this extra third string, over to the server next time I make an RMI call?" And then how would I reconstruct that information at the server? I can suggest the following:
1) Client Login Module  totally complaint to JAAS and accept any variant of identification according your requirements. 2) You need to implement the correspondent server side module/component for this Client Login Module. This module (let's call it Identification Module) can accept you variants of identification, is possible to work with LDAP or local database, etc. The mechanism of identification  is asymmetric key exchange between your client and your server side. For example, see how the SRP login is implemented. By the end of identification, your will have the unique session key on both client and server sides. This session key will play the role of private credentials for the given user for this particular session. This session key (together with user identity) will be put by the Client Login Module to the JBoss SecurityAssociation. 3) When your client application is performing any business call (under security domain), this information (user identity and session key) is automatically added. 4) The security interceptor on the server side gets this security information and asks JAASSecurityManager for authentication and authorisation. During these processes the JAASSecurityManager tries to find correspondent information in his security cache. Suppose, there is no such information (this call is the first). So, the server side JAAS procedure is started. 5) You have to implement server side login module, which will collaborate with the Identification Module, which has been implemented by you too, and now keeps the correspondent user identity and session key. So, during server side JAAS you login module will also be asked for authentication. After the successful authentication, the user identity, session key and the list of user roles are put into the security cache (in order to improve performance). 6) After the a12n the authorisation is being passed. Security interceptor fetches the list of roles for the given method call from the container and passes it to the JAASSecurityManager. The last one intercept the provided set of roles, with the set of user's roles from the security cache. If this set interception is not empty, the a11n is passed. Sorry, it is not possible to provide more details in the forum. Scott, please, correct me if I wrote something wrong. Alexander View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841030#3841030 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841030 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user