On Thu, Feb 13, 2014 at 12:45 PM, Tobias Bocanegra <tri...@apache.org> wrote: > I don't quite follow. can you give an example of what would be in the > jaas.conf and where you instantiate the ProxyLoginModule ?
A rough sketch would be ... jaas.config ---- oakAuth { org.apache.jackrabbit.oak.security.ProxyLoginModule REQUIRED loginModuleFactoryClass="org.apache.jackrabbit.oak.security.LdapLoginModuleFactory" authIdentity="{USERNAME}" useSSL=false debug=true; }; ---- public class ProxyLoginModule implements LoginModule{ private LoginModule delegate; public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options){ LMFactoryProviderCallBack lmfcb = new LMFactoryProviderCallBack() factory = callbackHandler.handle([lmfcb]); LoginModuleFactory factory = lmfcb.getLoginModuleFactoryProvider() .getFactory(options.get(loginModuleFactoryClass)); delegate = factory.createLoginModule(); delegate.initialize(subject, callbackHandler, sharedState, options); } ... //Use delegate for other operations } The flow would involve following steps 1. User mentions the ProxyLoginModule in jaas entry and provide the factory class name in the config. JAAS logic would be instantiating the Proxy LM 2. Oak provides a callback using which Proxy LM can obtain the factory 3. Upon init the proxy would initialize the delegate from factory 4. The delegate is used for later calls 5. LM if required can still use the config from jaas or ot is configured via factory itself Note here I preferred using the callback to get LM access the outer layer services instead of using a custom config. The custom config mode works fine in standalone case where the application is the sole user of JAAS system. Hence it works fine for Karaf/OSGi env But that might not work properly in App server env where app server itself uses jaas. So to avoid interfering in embedded mode callback should be preferred. Chetan Mehrotra