Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
14.2.2. Custom LoginModule Example
The following information will help you to create a custom Login Module example that extends the
UsernamePasswordLoginModule and obtains a user's password and role names from a JNDI lookup.
At the end of this section you will have created a custom JNDI context login module that will return a user's password if you perform a lookup on the context using a name of the form
password/<username> (where <username> is the current user being authenticated). Similarly, a lookup of the form roles/<username> returns the requested user's roles. In Example 14.22, “JndiUserAndPassLoginModule Custom Login Module” is the source code for the JndiUserAndPassLoginModule custom login module.
Note that because this extends the JBoss
UsernamePasswordLoginModule, the JndiUserAndPassLoginModule obtains the user's password and roles from the JNDI store. The JndiUserAndPassLoginModule does not interact with the JAAS LoginModule operations.
Example 14.22. JndiUserAndPassLoginModule Custom Login Module
package org.jboss.book.security.ex2;
import java.security.acl.Group;
import java.util.Map;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
/**
* An example custom login module that obtains passwords and roles for a user from a JNDI lookup.
*
* @author Scott.Stark@jboss.org
*/
public class JndiUserAndPassLoginModule extends UsernamePasswordLoginModule {
/** The JNDI name to the context that handles the password/username lookup */
private String userPathPrefix;
/** The JNDI name to the context that handles the roles/username lookup */
private String rolesPathPrefix;
private static Logger log = Logger.getLogger(JndiUserAndPassLoginModule.class);
/**
* Override to obtain the userPathPrefix and rolesPathPrefix options.
*/
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
userPathPrefix = (String) options.get("userPathPrefix");
rolesPathPrefix = (String) options.get("rolesPathPrefix");
}
/**
* Get the roles the current user belongs to by querying the rolesPathPrefix + '/' + super.getUsername() JNDI location.
*/
@Override
protected Group[] getRoleSets() throws LoginException {
try {
InitialContext ctx = new InitialContext();
String rolesPath = rolesPathPrefix + '/' + super.getUsername();
String[] roles = (String[]) ctx.lookup(rolesPath);
Group[] groups = { new SimpleGroup("Roles") };
log.info("Getting roles for user=" + super.getUsername());
for (int r = 0; r < roles.length; r++) {
SimplePrincipal role = new SimplePrincipal(roles[r]);
log.info("Found role=" + roles[r]);
groups[0].addMember(role);
}
return groups;
} catch (NamingException e) {
log.error("Failed to obtain groups for user=" + super.getUsername(), e);
throw new LoginException(e.toString(true));
}
}
/**
* Get the password of the current user by querying the userPathPrefix + '/' + super.getUsername() JNDI location.
*/
@Override
protected String getUsersPassword() throws LoginException {
try {
InitialContext ctx = new InitialContext();
String userPath = userPathPrefix + '/' + super.getUsername();
log.info("Getting password for user=" + super.getUsername());
String passwd = (String) ctx.lookup(userPath);
log.info("Found password=" + passwd);
return passwd;
} catch (NamingException e) {
log.error("Failed to obtain password for user=" + super.getUsername(), e);
throw new LoginException(e.toString(true));
}
}
}
Example 14.23. Definition of security-ex2 security domain with the newly-created custom login module
/subsystem=security/security-domain=security-ex2/:add
/subsystem=security/security-domain=security-ex2/authentication=classic:add
/subsystem=security/security-domain=security-ex2/authentication=classic/login-module=ex2/:add(\
flag=required,\
code=org.jboss.book.security.ex2.JndiUserAndPassLoginModule,\
module-options=[("userPathPrefix"=>"/security/store/password"),\
("rolesPathPrefix"=>"/security/store/roles")]\
)
The choice of using the
JndiUserAndPassLoginModule custom login module for the server side authentication of the user is determined by the login configuration for the example security domain. The EJB JAR META-INF/jboss-ejb3.xml descriptor sets the security domain. For a web application it is part of the WEB-INF/jboss-web.xml file.
Example 14.24. jboss-ejb3.xml Example
<?xml version="1.0"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:s="urn:security" version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>security-ex2</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
Example 14.25. jboss-web.xml example
<?xml version="1.0"?>
<jboss-web>
<security-domain>security-ex2</security-domain>
</jboss-web>
