Announcement Announcement Module
Collapse
No announcement yet.
problem about JaasAuthenticationProvider Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • kakalot
    started a topic problem about JaasAuthenticationProvider

    problem about JaasAuthenticationProvider

    I made the configuration as the reference told.
    <bean id="jaasAuthenticationProvider" class="com.genersoft.platform.security.aa.authenti cation.jaas.JaasAuthenticationProvider">
    <property name="loginConfig">
    <value>/WEB-INF/security/jaas.config</value>
    </property>
    <property name="loginContextName">
    <value>NamePassword</value>
    </property>
    <property name="callbackHandlers">
    <list>


    but It didn't work .
    the application raise an exception :
    javax.security.auth.login.LoginException: 没有为 NamePassword 配置 LoginModule

    in English, it means "No configuration for NamePassword LoginModule"

    I change the code of JaasAuthenticationProvider.java
    add one statement at the end of the afterPropertiesSet() method:

    System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

    and then the problem is gone. the LoginModule is created successfully.


    I am a beginner on java Security, and I am not sure why the problem occur, and why the problem is solved .
    give me some advice please .

    by the way , I am useing websphere V5.1

  • RayKrueger
    replied
    I've just commited changes to both the JaasAuthenticationProvider and the JaasAuthenticationCallbackHandler.

    The JaasAuthenticationProvider afterPropertiesSet method now makes use of the java.security.auth.login.config System property before trying to use the login.config.url.X properties.
    The JaasAuthenticationCallbackHandler handle method now takes a callback and the authentication in progress, the setAuthentication method has been removed.
    I don't know if you're using Acegi out of CVS or not, but if you wouldn't mind taking the new code for a spin in your configuration, I'd really appreicate it, thanks.

    -Ray Krueger

    Leave a comment:


  • RayKrueger
    replied
    Learn something new everyday. I didn't know about the double equals thing. I was looking at the Callback handler the other day, that interface design is just bad. It should not have a handler.setAuthentication(authentication) method on it at all, It should have been handle(Callback cb, Authentication auth). You're right the synchronize change is absolutely needed there.

    I am going to commit a change to the afterPropertiesSet today. That works alot cleaner.

    Leave a comment:


  • kakalot
    replied
    one thing about the InternalCallbackHandler

    in handle() method of the inner class

    JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
    handler.setAuthentication(authentication);

    for (int j = 0; j < callbacks.length; j++) {
    Callback callback = callbacks[j];
    handler.handle(callback);
    }

    in my opinion maybe better change to
    JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
    synchronized (handler) {
    handler.setAuthentication(authentication);
    for (int j = 0; j < callbacks.length; j++) {
    Callback callback = callbacks[j];
    handler.handle(callback);
    }
    }


    because handler is singlton bean is applicationcontext, and is shared accessed by concurrent thread.

    Leave a comment:


  • kakalot
    replied
    my code is as following:
    -------------------------

    public void afterPropertiesSet() throws Exception {
    if (loginConfig == null) {
    throw new ApplicationContextException("loginConfig must be set on "
    + getClass());
    }

    if (loginContextName == null) {
    throw new ApplicationContextException(
    "loginContextName must be set on " + getClass());
    }

    // int n = 1;
    //
    // while (Security.getProperty("login.config.url." + n) != null) {
    // n++;
    // }
    //
    // Security.setProperty("login.config.url." + n,
    // loginConfig.getURL().toString());
    System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

    }
    ---------------

    as sun jaas tutorial, to run the sample application, must specify -D option
    as below:
    java -Djava.security.auth.login.config==sample_jaas.conf ig sample.SampleAcn

    and I checked the java tool docs , found that -D option:
    -Dproperty=value
    Set a system property value. If value is a string that contains spaces, you must enclose the string in double quotes:

    that is why I tried to add the line of code to the end of afterPropertiesSet() method

    and as a tutorial from ibm devloperworks told "
    the double equals sign (==) indicates that the system default login configuration and policy files should not be added to the ones we've listed here. A single equals sign (=) would indicate the file should be concatenated with the system default.
    "
    that is why I add a "=" before the url

    and I check the sun implemtation of javax.security.auth.login.Configuration
    the com.sun.security.auth.login.ConfigFile source code

    in init() method
    the value of property "java.security.auth.login.config" can start with "="


    and just now,I tried the two ways in a standalone app
    both
    System.setProperty("java.security.auth.login.confi g","=file:E:/test/java/clear/sample_jaas.config");
    and
    Security.setProperty("login.config.url.1","file:E:/test/java/clear/sample_jaas.config");
    work

    and I tried with both sun and ibm jre

    this make me quite confused, why when I tried in websphere environment, "System.setProperty" works and "Security.setProperty" fails

    Leave a comment:


  • RayKrueger
    replied
    You're setting the property java.security.auth.login.config to a url that starts with an = sign. That is invalid as far as I know.

    When Jaas gets configured it looks for the "java.security.auth.login.config" system property, which you've set to an invalid url. Then, it looks for any login.config.url.X properties having been set as Security properties.

    I think the loop of code that looks for the first available login.config.url.X value to be null and sets it is probably working, and the "java.security.auth.login.config" property you've set is being ignored by Jaas because it's invalid.

    Since you're using you're own implementation of the JaasAuthenticationProvider would you mind posting youre afterPropertiesSet method? I am looking at reworking that code anyway now, because the loop thing is kinda lame...

    -Ray

    Leave a comment:


  • kakalot
    replied
    /** Login Configuration for the JAAS Application **/

    NamePassword {
    com.genersoft.platform.security.aa.authentication. jaas.login.DaoLoginModule required debug=true;
    };


    that's all , I just imitate the sample configuration file from sun JAAS Tutorials

    Leave a comment:


  • RayKrueger
    replied
    Would it be possible to see the contents of your jaas.conf file please, mainly your NamePassword {} configuration please?

    Leave a comment:

Working...
X