Re: [JBoss-user] JAAS login - updating the SRP cache
Then it may not be unless you can order the RolesLoginModule ahead of the authentication modules, which may not be possible. -- Scott Stark Chief Technology Officer JBoss Group, LLC Sebastian Hauer wrote: Hi Scott, In terms of a logical or of login modules, this is supported out of the box by JAAS and is the purpose of the Sufficient control flag: Sufficient - The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. I don't think the "sufficient" flag is sufficient I my case. I want at least one of a number of login modules to succeed and once one of them succeeds I still want it to execute a RolesLoginModule so that the Subjects gets its roles assigned. If I use the "sufficient" flag for the "real" login modules it will simply return once one succeeds and my roles login module will never get called. Regards, Sebastian --- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS login - updating the SRP cache
Hi Scott, > In terms of a logical or of login modules, this is supported > out of the box by JAAS and is the purpose of the Sufficient control > flag: Sufficient - The LoginModule is not required to > succeed. If it does succeed, control immediately returns to the application > (authentication does not proceed down the LoginModule list). If it fails, > authentication continues down the LoginModule list. I don't think the "sufficient" flag is sufficient I my case. I want at least one of a number of login modules to succeed and once one of them succeeds I still want it to execute a RolesLoginModule so that the Subjects gets its roles assigned. If I use the "sufficient" flag for the "real" login modules it will simply return once one succeeds and my roles login module will never get called. Regards, Sebastian --- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS login - updating the SRP cache
A multi-domain auth service requires something like Liberty, and that is a fair amount of work, but on my todo list. In terms of a logical or of login modules, this is supported out of the box by JAAS and is the purpose of the Sufficient control flag: Sufficient - The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. You got it working and that is all that matters. If you find that the Sufficient control flag does not work as specified then let me know. -- Scott Stark Chief Technology Officer JBoss Group, LLC Sebastian Hauer wrote: I thought about this for a while and now I found the time to get back to it. I hope my answer is not too much out of context. A multiple domain authentication service would be cool. But because I have no clue where to start with that, I came up with something else that seems to work. Might not be as elegant or efficient though. Here is my new server-side JAAS login-config.xml: ... What I was missing in JAAS was the fact that I can not do logical grouping within an application policy. What I needed was some kind of a logical OR grouping of login modules. This is what the OrWrapperLoginModule does. On login() it will go through each login module defined as module options or.login.module.X and execute its login() method until on succeeds, etc. ... Regards, Sebastian --- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS login - updating the SRP cache
Hi Scott, A while ago on June 16, 2003 Scott M Stark wrote: > You can't really do this because the SRP session key used as > the authentication token is not being used as the credential > for the web application. These two security domains do not > have a compatible view. You really need a multiple domain > single sign-on type of service which is something we do not > currently have. Alternatively, you could use the same > security domain for both the web app and ejb app, but web > browsers do not currently support SRP. I thought about this for a while and now I found the time to get back to it. I hope my answer is not too much out of context. A multiple domain authentication service would be cool. But because I have no clue where to start with that, I came up with something else that seems to work. Might not be as elegant or efficient though. Here is my new server-side JAAS login-config.xml: org.jboss.security.srp.jaas.SRPCacheLoginModule com.sknt.picasso.security.jaas.PicassoAuthentication LoginModule org.jboss.security.auth.spi.AnonLoginModule guest xenon/AuthenticationCache useFirstPass What I was missing in JAAS was the fact that I can not do logical grouping within an application policy. What I needed was some kind of a logical OR grouping of login modules. This is what the OrWrapperLoginModule does. On login() it will go through each login module defined as module options or.login.module.X and execute its login() method until on succeeds, etc. The JBoss SRPCacheLoginModule will authenticate against against the SRP cache. This one is used my the GUI clients that authenticate using SRP. PicassoAuthenticationLoginModule is maintaining our own cluster wide cache of user data and will be used by the web application. The JBoss AnonLoginModule is necessary if we want to allow unauthenticated bean access on bean methods with permission. I've tested it using an SRP authenticated client as well as a web client and it works fine. I and the company I am working for would not mind contributing OrWrapperLoginModule under the LGPL to the JBoss project or anyone whole might think it is useful. Regards, Sebastian --- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS login - updating the SRP cache
You can't really do this because the SRP session key used as the authentication token is not being used as the credential for the web application. These two security domains do not have a compatible view. You really need a multiple domain single sign-on type of service which is someting we do not currently have. Alternatively, you could use the same security domain for both the web app and ejb app, but web browsers do not currently support SRP. You can set and clear the SRP session key for each web thread to allow calls into the ejb layer to assume the correct identity using a filter or valve by looking up the session key from the SRP cache. Scott Stark Chief Technology Officer JBoss Group, LLC - Original Message - From: "Sebastian Hauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 16, 2003 2:53 PM Subject: [JBoss-user] JAAS login - updating the SRP cache Hi, I have a question regarding the SRP cache. I have a server side JAAS login config which right now looks like this: xenon/AuthenticationCache useFirstPass useFirstPass Basically I have an application policy I want to use to secure my bean access. Because I am using SRP to authenticate the users of a standalone java application I want to make use of the SRP cache to speed things up while checking the credentials of a bean caller. So far so good, but now I also have a web application I need to secure. Therefore the second application policy "web-app". The web application will make bean calls as well, which will fail because my custom login module "PicassoAuthenticationLoginModule" does not know how to update the SRP cache. I assume I have to somehow call the SRP service and tell it to update the cache. But before I dig into the JBoss code and try to figure out how this is done I want to know if this is "the way to do it" (TM) or if there is something I forgot. Regards, Sebastian --- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
