3

I would like to create (implement by my own) authentication mechanism which will be plugged into my Java EE application.

As far as I know I have to implement LoginModule and connect this implementation with container mechanisms somehow. But the problem is that I don't know how to do it. Maybe You know where I can find sample code or tutorial about it?

In other words I would like to force container to call my classes whenever methods: authenticate, login, and logout are called.

Sample implementation: HttpServletRequest.login method will successfully authenticate only users with even numer of letters in login.

pWoz
  • 1,649
  • 3
  • 20
  • 30

3 Answers3

4

I believe the container independent way of doing this is to use JASPIC (JSR 196). Unfortunately it doesn't appear simple, robust, or particularly well documented. Here is a reference: http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html.

Ryan
  • 7,499
  • 9
  • 52
  • 61
2

After reading about JAAS, you should implement your login module basing on org.jboss.security.auth.spi.AbstractServerLoginModule (from org.picketbox/picketbox maven artifact). Then deploy the module with your app, and create a proper security domain and realm in WildFly's standalone.xml, like such:

<security-domain name="myDomain" cache-type="default">
  <authentication>
    <login-module code="com.example.TestLoginModule" flag="required" 
module="deployment.sample.jar"/>
  </authentication>
</security-domain>

...

<security-realm name="MyRealm">
 <authentication>
   <jaas name="myDomain"/>
 </authentication>
</security-realm>

Look out for different behaviour on different JBoss AS versions. 7.1.1 will not allow you to deploy the login module, you would have to create a separate jboss module and bind it with org.picketbox and jboss.security modules.

Additional reading: https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration

https://docs.jboss.org/author/display/WFLY8/Security+Realms

http://java.dzone.com/articles/creating-custom-login-modules (it is a little outdated, but the gives the main idea)

mcmil
  • 1,021
  • 7
  • 20
  • Where can I read about it? Is it contained in Jboss (WildFly) tutorial? – pWoz Feb 10 '14 at 09:07
  • I added some links to the post. Check out the dzone one first, should give you some idea about what is needed. Unfortunately config may differ a little in the newer versions of JBoss (be sure about the value of the module attribute). – mcmil Feb 10 '14 at 22:56
  • Thank You for help. I have investigated this topic. I can now create my own login module, but I have one more problem. Can You take a look at it? http://stackoverflow.com/questions/22026078/custom-login-module-and-httpservletrequest-authenticatehttpservletresponse-resp – pWoz Feb 25 '14 at 21:03
1

You should research JAAS.

Wikipedia gives a good overview: http://en.m.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service

This will provide all the info and tutorials you need: http://docs.oracle.com/javase/7/docs/technotes/guides/security/

Tutorial with sample app: http://download.java.net/jdk8/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

And check this out in SO: JAAS for human beings

Community
  • 1
  • 1
wmorrison365
  • 5,995
  • 2
  • 27
  • 40