You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by David Jencks <da...@yahoo.com> on 2009/08/02 01:31:17 UTC

Login module question.... advice needed

I found another aspect of LoginModules to get confused about, see https://issues.apache.org/jira/browse/GERONIMO-4781 
..

What should a login module login method do if the callback handler  
doesn't recognize its callbacks and throws an  
UnsupportedCallbackException?

A.  return false, on the grounds that not enough info was obtained to  
successfully authenticate, so the result of this login module should  
be ignored for determining if login was successful.  Since we didn't  
get enough information to try to authenticate, we can't claim  
authentication failed.

B. throw a LoginException, because authentication failed.

Currently we implement B.

This is currently a possible issue because (see https://issues.apache.org/jira/browse/GERONIMO-4779) 
  client cert auth in jetty uses name and password callbacks but in  
tomcat it uses a ClientCert callback.  To construct a security realm  
that would work with either one you can use a  
CertificateChainLoginModule (for tomcat) and a  
PropertiesFileNoPasswordLoginModule (for jetty).  With policy A you  
could use any flag but with policy B you could not use REQUIRED or  
REQUISITE.

I'm confused.  Thoughts?

thanks
david jencks

Re: Login module question.... advice needed

Posted by Jack Cai <gr...@gmail.com>.

By JAAS's design there is only one CallBackHandler in one LoginContext, so
it's better to write a CallBackHandler that can handle both CallBack here.

I write a small test case to test RI's behavior. It also implements B.

-Jack

On Sun, Aug 2, 2009 at 7:31 AM, David Jencks <da...@yahoo.com> wrote:

> I found another aspect of LoginModules to get confused about, see
> https://issues.apache.org/jira/browse/GERONIMO-4781..
>
> What should a login module login method do if the callback handler doesn't
> recognize its callbacks and throws an UnsupportedCallbackException?
>
> A.  return false, on the grounds that not enough info was obtained to
> successfully authenticate, so the result of this login module should be
> ignored for determining if login was successful.  Since we didn't get enough
> information to try to authenticate, we can't claim authentication failed.
>
> B. throw a LoginException, because authentication failed.
>
> Currently we implement B.
>
> This is currently a possible issue because (see
> https://issues.apache.org/jira/browse/GERONIMO-4779) client cert auth in
> jetty uses name and password callbacks but in tomcat it uses a ClientCert
> callback.  To construct a security realm that would work with either one you
> can use a CertificateChainLoginModule (for tomcat) and a
> PropertiesFileNoPasswordLoginModule (for jetty).  With policy A you could
> use any flag but with policy B you could not use REQUIRED or REQUISITE.
>
> I'm confused.  Thoughts?
>
> thanks
> david jencks
>
>