David Blevins wrote:
>
>
> On Mar 25, 2009, at 6:21 AM, dojolava wrote:
>
>> What I actually want to do, is to authenticate a client by a
>> specific client
>> ID. I thought to use a custom CallbackHandler that access my
>> configuration
>> files to read this securityString and check it against a prefix in the
>> username. E.g
>>
>> @Override
>> public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> username = MyClientAuthenticator.authenticate(username);
>> for (int i = 0; i < callbacks.length; i++) {
>> ...
>> }
>> }
>>
>> Does anybody know how to achive this?
>
> I'm not sure I understand exactly. Some details on what you mean by
> check it against a prefix would be great. We have a couple points on
> the client and server where some indirection can be added, but I'm not
> sure what to recommend if any.
>
> In terms of just standard JAAS LoginModules, you should be able to
> specify your CallbackHandler like so:
>
> URL resource = classLoader.getResource("client.login.conf");
> System.setProperty("java.security.auth.login.config",
> resource.toExternalForm());
>
> LoginContext lc = new LoginContext("ClientLogin", new
> MyCallbackHandler());
>
>
> -David
>
I implmented it with creating a LoginContext with my own CallbackHandler
like you suggested, but this would not set the CallerPrincipal in the
SessionContext, thus I wasnt able to use @RolesAllowed etc.
Is there a way to achive that if I have a custom authetication and use
LoginContext lc = new LoginContext("ClientLogin", new
MyCallbackHandler());
that the CallerPrincipal will be set? I understood that this is not possible
after the connection has been established?!
What I have is this scenario:
- There are users in my system and their roles/groups are independent from
how they have logged in.
- they can login via my own database with username/password
- they can login via my own ldap with username/password, in this case my
system has a mapping from ldapgroups to roles/groups in my system
- they can login via Silent NTLM, in this case I do not have a password.
I havent found a way to implement Silent NTLM on the server side if the
webcontainer is not in the same virtual machine, so I need to be sure that
the webcontainer who did the negotiation/authetication can be trusted. Thats
why I thought about some kind of security string that I send together with
the username in Context.SECURITY_PRINCIPAL. I didnt find any other solution
yet.
My solution for now is a custom SecurityService that creates a custom
CallbackHandler to handle the callback for the "client security string". In
addition I have a custom LoginModule that authenticates against a local DB
or LDAP or nothing if NTLM and then checks the local DB for the user
groups/roles.
Mathis
--
View this message in context:
http://www.nabble.com/Define-Custom-SecurityService---configure-service-jar.xml-tp22699295p22738676.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
