Announcement Announcement Module
Collapse
No announcement yet.
problem about JaasAuthenticationProvider Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • problem about JaasAuthenticationProvider

    I made the configuration as the reference told.
    <bean id="jaasAuthenticationProvider" class="com.genersoft.platform.security.aa.authenti cation.jaas.JaasAuthenticationProvider">
    <property name="loginConfig">
    <value>/WEB-INF/security/jaas.config</value>
    </property>
    <property name="loginContextName">
    <value>NamePassword</value>
    </property>
    <property name="callbackHandlers">
    <list>


    but It didn't work .
    the application raise an exception :
    javax.security.auth.login.LoginException: 没有为 NamePassword 配置 LoginModule

    in English, it means "No configuration for NamePassword LoginModule"

    I change the code of JaasAuthenticationProvider.java
    add one statement at the end of the afterPropertiesSet() method:

    System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

    and then the problem is gone. the LoginModule is created successfully.


    I am a beginner on java Security, and I am not sure why the problem occur, and why the problem is solved .
    give me some advice please .

    by the way , I am useing websphere V5.1

  • #2
    Would it be possible to see the contents of your jaas.conf file please, mainly your NamePassword {} configuration please?

    Comment


    • #3
      /** Login Configuration for the JAAS Application **/

      NamePassword {
      com.genersoft.platform.security.aa.authentication. jaas.login.DaoLoginModule required debug=true;
      };


      that's all , I just imitate the sample configuration file from sun JAAS Tutorials

      Comment


      • #4
        You're setting the property java.security.auth.login.config to a url that starts with an = sign. That is invalid as far as I know.

        When Jaas gets configured it looks for the "java.security.auth.login.config" system property, which you've set to an invalid url. Then, it looks for any login.config.url.X properties having been set as Security properties.

        I think the loop of code that looks for the first available login.config.url.X value to be null and sets it is probably working, and the "java.security.auth.login.config" property you've set is being ignored by Jaas because it's invalid.

        Since you're using you're own implementation of the JaasAuthenticationProvider would you mind posting youre afterPropertiesSet method? I am looking at reworking that code anyway now, because the loop thing is kinda lame...

        -Ray

        Comment


        • #5
          my code is as following:
          -------------------------

          public void afterPropertiesSet() throws Exception {
          if (loginConfig == null) {
          throw new ApplicationContextException("loginConfig must be set on "
          + getClass());
          }

          if (loginContextName == null) {
          throw new ApplicationContextException(
          "loginContextName must be set on " + getClass());
          }

          // int n = 1;
          //
          // while (Security.getProperty("login.config.url." + n) != null) {
          // n++;
          // }
          //
          // Security.setProperty("login.config.url." + n,
          // loginConfig.getURL().toString());
          System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

          }
          ---------------

          as sun jaas tutorial, to run the sample application, must specify -D option
          as below:
          java -Djava.security.auth.login.config==sample_jaas.conf ig sample.SampleAcn

          and I checked the java tool docs , found that -D option:
          -Dproperty=value
          Set a system property value. If value is a string that contains spaces, you must enclose the string in double quotes:

          that is why I tried to add the line of code to the end of afterPropertiesSet() method

          and as a tutorial from ibm devloperworks told "
          the double equals sign (==) indicates that the system default login configuration and policy files should not be added to the ones we've listed here. A single equals sign (=) would indicate the file should be concatenated with the system default.
          "
          that is why I add a "=" before the url

          and I check the sun implemtation of javax.security.auth.login.Configuration
          the com.sun.security.auth.login.ConfigFile source code

          in init() method
          the value of property "java.security.auth.login.config" can start with "="


          and just now,I tried the two ways in a standalone app
          both
          System.setProperty("java.security.auth.login.confi g","=file:E:/test/java/clear/sample_jaas.config");
          and
          Security.setProperty("login.config.url.1","file:E:/test/java/clear/sample_jaas.config");
          work

          and I tried with both sun and ibm jre

          this make me quite confused, why when I tried in websphere environment, "System.setProperty" works and "Security.setProperty" fails

          Comment


          • #6
            one thing about the InternalCallbackHandler

            in handle() method of the inner class

            JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
            handler.setAuthentication(authentication);

            for (int j = 0; j < callbacks.length; j++) {
            Callback callback = callbacks[j];
            handler.handle(callback);
            }

            in my opinion maybe better change to
            JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
            synchronized (handler) {
            handler.setAuthentication(authentication);
            for (int j = 0; j < callbacks.length; j++) {
            Callback callback = callbacks[j];
            handler.handle(callback);
            }
            }


            because handler is singlton bean is applicationcontext, and is shared accessed by concurrent thread.

            Comment


            • #7
              Learn something new everyday. I didn't know about the double equals thing. I was looking at the Callback handler the other day, that interface design is just bad. It should not have a handler.setAuthentication(authentication) method on it at all, It should have been handle(Callback cb, Authentication auth). You're right the synchronize change is absolutely needed there.

              I am going to commit a change to the afterPropertiesSet today. That works alot cleaner.

              Comment


              • #8
                I've just commited changes to both the JaasAuthenticationProvider and the JaasAuthenticationCallbackHandler.

                The JaasAuthenticationProvider afterPropertiesSet method now makes use of the java.security.auth.login.config System property before trying to use the login.config.url.X properties.
                The JaasAuthenticationCallbackHandler handle method now takes a callback and the authentication in progress, the setAuthentication method has been removed.
                I don't know if you're using Acegi out of CVS or not, but if you wouldn't mind taking the new code for a spin in your configuration, I'd really appreicate it, thanks.

                -Ray Krueger

                Comment

                Working...
                X