Hi Angela,
one possible solution that I found, when deploying oak within jboss, is to
define the custom security domain in the *standalone.xml* file. E.g.
<subsystem xmlns="urn:jboss:domain:security:2.0">
     <security-domains>
          <security-domain name="jackrabbit.oak"  cache-type="default">
               <authentication>
   <login-module code="com.myproject.login.CustomLoginModule"
flag="sufficient"></login-module>
</authentication>
          </security-domain>
          .....
     </security-domains>
</subsystem>

this will register *CustomLoginModule* as login module for the oak
application. Of course, it's not an ideal solution, since the configuration
of the custom login module is not specified while setting up the repository
but in a completely different place.

I think It would be nice to be able to define a custom Configuration and
pass it to the LoginContentProvider as constructor parameter, like the
SecurityProvider. Do you see any reason why it shouldn't be allowed?

Marco.

On Tue, Mar 10, 2020 at 10:08 AM Angela Schreiber <[email protected]> wrote:

> Hi Marco
>
> Probably not.... but I am not aware of another solution from the top of my
> head. If you find one please let me know.
>
> Kind regards
> Angela
> ------------------------------
> *From:* Marco Piovesana <[email protected]>
> *Sent:* Tuesday, March 10, 2020 9:40 AM
> *To:* Angela Schreiber <[email protected]>
> *Cc:* [email protected] <[email protected]>
> *Subject:* Re: custom authentication module
>
> I tried this and it seems to be working:
>
> Configuration currentConfiguration = Configuration.getConfiguration();
> Configuration.setConfiguration(new Configuration() {
>     @Override
>     public AppConfigurationEntry[] getAppConfigurationEntry(String
> applicationName) {
>         if
> (AuthenticationConfiguration.DEFAULT_APP_NAME.equals(applicationName)) {
>             return new AppConfigurationEntry[] {
>                     new
> AppConfigurationEntry(CustomLoginModule.class.getName(),
> LoginModuleControlFlag.SUFFICIENT, new HashMap<>())
>             };
>         } else {
>             return
> currentConfiguration.getAppConfigurationEntry(applicationName);
>         }
>     }
> });
>
> I guess it's not ideal though. Do you know if there's a way to pass the
> configuration to oak without having to use the static method
> *Configuration.setConfiguration*?
>
> Marco.
>
> On Tue, Mar 10, 2020 at 8:37 AM Angela Schreiber <[email protected]>
> wrote:
>
> Hi Marco
>
> I never had to do that but I would first try to compose the new
> configuration from the existing non-oak entries with additional
> oak-entries. In other words aggregating the result of getConfiguration()
> with the custom AppConfigurationEntry.
>
> Kind regards
> Angela
> ------------------------------
> *From:* Marco Piovesana <[email protected]>
> *Sent:* Monday, March 9, 2020 3:23 PM
> *To:* [email protected] <[email protected]>
> *Subject:* Re: custom authentication module
>
> Hi Angela,
> I defined a custom configuration as you suggested by doing:
>
> Configuration.setConfiguration(new Configuration() {
>     @Override
>     public AppConfigurationEntry[] getAppConfigurationEntry(String
> applicationName) {
>         return new AppConfigurationEntry[] {
>                 new
> AppConfigurationEntry(CustomLoginModule.class.getName(),
> LoginModuleControlFlag.SUFFICIENT, new HashMap<>())
>         };
>     }
> });
>
> This works fine when oak is executed standalone, but I have a problem when
> I embed it within a JavaEE application. In this case there's already a
> configuration for other resources (e.g. jms) and this solution overrides
> that configuration.
> How can define the login modules for a specific application (in my case
> "jackrabbit.oak") without having to redefine the whole Configuration?
>
> Marco.
>
> On Thu, Feb 27, 2020 at 1:49 PM Marco Piovesana <[email protected]>
> wrote:
>
> > Hi Angela,
> > thanks for the clarification! I did see that in L4_userIDTest but I
> wasn't
> > sure it was meant to be used also in production. I've created OAK-8929
> for
> > the documentation update.
> >
> > Marco.
> >
> >
> > On Thu, Feb 27, 2020 at 6:50 PM Angela Schreiber
> <[email protected]>
> > wrote:
> >
> >> Hi Marco
> >>
> >> The section you are referring to talks about replacing the
> authentication
> >> setup altogether... so replacing all parts of it.
> >>
> >> However, if your task is 'just' to configure an additional LoginModule
> or
> >> replacing an existing one (but otherwise leaving the broader
> authentication
> >> setup in place), that doesn't require replacing the
> >> AuthenticationConfiguration. Instead that should be straight forward by
> >> calling
> >>
> >>
> >>
> javax.security.auth.login.Configuration.setConfiguration(yourCustomConfiguration)
> >>
> >> yourCustomConfiguration would define which LoginModules are being used
> >> for your authentication, their order and a LoginModuleControlFlag for
> each
> >> of them.
> >>
> >> Since the documentation is apparently not clear about this: may I ask
> you
> >> to create a documentation issue such that we can fix that? Thanks.
> >>
> >> You can see an example on how this is done in a non-OSGi setup in
> >> org.apache.jackrabbit.oak.AbstractSecurityTest that is located in
> oak-core.
> >> From there yo can also find those derived tests that in fact defined a
> >> different configuration... there should a few of those floating around
> in
> >> Oak.
> >>
> >> Hope that helps
> >> Angela
> >>
> >> ________________________________
> >> From: Marco Piovesana <[email protected]>
> >> Sent: Thursday, February 27, 2020 11:00 AM
> >> To: [email protected] <[email protected]>
> >> Subject: custom authentication module
> >>
> >> Hi all,
> >> I'm trying to define a custom LoginModule that extends the
> >> AbstractLoginModule in a NON-OSGi setup. Reading the documentation here
> >> <https://jackrabbit.apache.org/oak/docs/security/authentication.html>
> at
> >> the section "Pluggability" I think I understood that I have to options
> to
> >> do it: defining my own SecurityProvider or using a JAAS configuration.
> >> I tried to look at the source code and the examples but I'm having a
> hard
> >> time understanding exactly how to do it. Is there anyone that can help
> me
> >> out?
> >>
> >> Marco.
> >>
> >
> >
> >
>
> --
>
> marco piovesanA
> Enterprise Application
>
>
>
> *ESTECO* | EXPLORE DESIGN PERFECTION
>
> AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
> Phone: +39 040 3755548 - Fax: +39 040 3755549
> [Website] <http://www.esteco.com> | [Twitter]
> <https://twitter.com/esteco_mF> | [Facebook]
> <https://www.facebook.com/esteco.spa> | [Linkedin]
> <https://www.linkedin.com/company/748217>
> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
> this message contains confidential information intended only for the use of
> the addressee. If you are not the addressee, and have received this message
> by mistake, please delete it and immediately notify us. You may not copy or
> disseminate this message to anyone. Thank you. Please consider the
> environment before printing this email.
>
>
>

Reply via email to