On Thu, Feb 13, 2014 at 12:45 PM, Tobias Bocanegra <tri...@apache.org> wrote:
> I don't quite follow. can you give an example of what would be in the
> jaas.conf and where you instantiate the ProxyLoginModule ?
A rough sketch would be ...
jaas.config
----
oakAuth {
org.apache.jackrabbit.oak.security.ProxyLoginModule REQUIRED
loginModuleFactoryClass="org.apache.jackrabbit.oak.security.LdapLoginModuleFactory"
authIdentity="{USERNAME}"
useSSL=false
debug=true;
};
----
public class ProxyLoginModule implements LoginModule{
private LoginModule delegate;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options){
LMFactoryProviderCallBack lmfcb = new LMFactoryProviderCallBack()
factory = callbackHandler.handle([lmfcb]);
LoginModuleFactory factory = lmfcb.getLoginModuleFactoryProvider()
.getFactory(options.get(loginModuleFactoryClass));
delegate = factory.createLoginModule();
delegate.initialize(subject, callbackHandler, sharedState, options);
}
...
//Use delegate for other operations
}
The flow would involve following steps
1. User mentions the ProxyLoginModule in jaas entry and provide the
factory class name in the config. JAAS logic would be instantiating
the Proxy LM
2. Oak provides a callback using which Proxy LM can obtain the factory
3. Upon init the proxy would initialize the delegate from factory
4. The delegate is used for later calls
5. LM if required can still use the config from jaas or ot is
configured via factory itself
Note here I preferred using the callback to get LM access the outer
layer services instead of using a custom config.
The custom config mode works fine in standalone case where the
application is the sole user of JAAS system. Hence it works fine for
Karaf/OSGi env But that might not work properly in App server env
where app server itself uses jaas. So to avoid interfering in embedded
mode callback should be preferred.
Chetan Mehrotra
