DefaultLoginModule and trust_credentials_attribute

[Yusuf Aaji <yu...@gmail.com>]

Hi,

I am trying to configure jackrabbit with ldap server and I need to use the
acl based security.

After some research, I came to a conclusion that the
trust_credentials_attribute parameter in the DefaultLoginModule is the thing
that will make me achive the integration.

I will handle the ldap login in my application and on successful login i
will login to the jackrabbit rep, but I don't want to maintain the user
passwords in jackrabbit so I need to allow login what ever the password is.
I think this is the purpose of trust_credentials_attribute

so I configured my repo like this:

    <Security appName="jackrabbit">

        <SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="wcm" />
        <AccessManager
class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
        <LoginModule
class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule"
>
        <param name="anonymousId" value="anonymous"/>
        <param name="adminId" value="admin"/>
        <param name="trust_credentials_attribute" value="true"/>
        </LoginModule>

    </Security>

Now when I try to login with admin and a password different from the one
saved by jackrabbit I get login failed exception.

any ideas?!

BR,
Yusuf

Re: DefaultLoginModule and trust_credentials_attribute

[ttemprano <tt...@Toyota.com.ve>]

I'm very interested in this subject as I will be building a web app that log
users in with ldap (Windows AD)...

Any info on how to make this possible will be greatly appreciated.
-- 
View this message in context: http://jackrabbit.510166.n4.nabble.com/DefaultLoginModule-and-trust-credentials-attribute-tp3237948p3238050.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: DefaultLoginModule and trust_credentials_attribute

[Angela Schreiber <an...@adobe.com>]

hi yusuf

> I am trying to configure jackrabbit with ldap server and I need to use the
> acl based security.
>
> After some research, I came to a conclusion that the
> trust_credentials_attribute parameter in the DefaultLoginModule is the thing
> that will make me achive the integration.
>
> I will handle the ldap login in my application and on successful login i
> will login to the jackrabbit rep, but I don't want to maintain the user
> passwords in jackrabbit so I need to allow login what ever the password is.
> I think this is the purpose of trust_credentials_attribute

as far as i know the 'trust_credentials_attribute' parameter of the
login module is just the configuration option to turn on the 
pre-authenticated-login functionality (by default this is disabled).

this doesn't mean that having the config option authentication
against the repository is omitted altogether but rather that
in this case the test for pre-authenticated subjects is evaluated.

see AbstractLoginModule#isPreAuthenticated for the very details.
the method documentation states:

      * Returns <code>true</code> if the credentials should be
      * considered as pre-authenticated and a password check is
      * not required.
      * This base class implementation returns <code>true</code> if the
      * <code>creds</code> object is a SimpleCredentials instance and the
      * configured {@link #getPreAuthAttributeName() trusted
      * credentials property} is set to a non-<code>null</code> value
      * in the credentials attributes. [...]

and of course you are free to do something different in your custom
extension from the AbstractLoginModule.

hope that helps
angela