Menu
I'd like to know how to combine these two authentication steps :
The LDAP user repository have no idea about application-specific roles and I don't want to manage the passwords in the application DB. So I need both.
JAAS configuration file allows to have additional LoginModules :
<name used by application to refer to this entry> {
<LoginModule> <flag> <LoginModule options>;
<optional additional LoginModules, flags and options>;
};
but I can't find example that explains how I works.
Is it the good method ?
Thanks
=========================================
Here is my answer :
Indeed we can have additional LoginModules. The JAAS configuration file is :
Sample {
com.sun.security.auth.module.LdapLoginModule Requisite
userProvider="ldap://acme.org:389/OU=Users,OU=_ACME,DC=acmegis,DC=acme,DC=org"
authIdentity="{USERNAME}"
userFilter="(userPrincipalName={USERNAME})"
storePass=true
sample.module.SampleLoginModule required debug=true;
};
Here we have two LoginModules :
The Sun's LdapLoginModule that checks user/password, and mine sample.module.SampleLoginModule that query my db and fills the principals. The important parameter is storePass=true that asks the LdapLoginModule to store the username and password in the module's shared state. (see http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html).
So the next LoginModules can get the username passed to the initialize method in the sharedState Map argument. They should have nothing to do in login() and the query in DB to fill the Principales is done in commit() (like Shimi Bandiel said).
I don't use it yet but there is a DatabaseServerLoginModule developed by JBoss (see http://community.jboss.org/wiki/DatabaseServerLoginModule) that supports authentication and role mapping. Used with password-stacking=useFirstPass we should have the answer to my need without write any line-code (but a beautiful JAAS configuration file).
B.R.
788
JAAS provides subject-based authorization on authenticated identities. This document focuses on the authentication aspect of JAAS, specifically the LoginModule interface.
JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. A system administrator determines the authentication technologies, or LoginModules, to be used for each application and configures them in a login Configuration.
You should implement a LoginModule which in the login method you access the LDAP and check username/password and in the commit method you access the DB and fill the principals.
There is no need here to use multiple LoginModule
143
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
