You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by David Jencks <da...@yahoo.com> on 2009/08/02 01:31:17 UTC
Login module question.... advice needed
I found another aspect of LoginModules to get confused about, see https://issues.apache.org/jira/browse/GERONIMO-4781
..
What should a login module login method do if the callback handler
doesn't recognize its callbacks and throws an
UnsupportedCallbackException?
A. return false, on the grounds that not enough info was obtained to
successfully authenticate, so the result of this login module should
be ignored for determining if login was successful. Since we didn't
get enough information to try to authenticate, we can't claim
authentication failed.
B. throw a LoginException, because authentication failed.
Currently we implement B.
This is currently a possible issue because (see https://issues.apache.org/jira/browse/GERONIMO-4779)
client cert auth in jetty uses name and password callbacks but in
tomcat it uses a ClientCert callback. To construct a security realm
that would work with either one you can use a
CertificateChainLoginModule (for tomcat) and a
PropertiesFileNoPasswordLoginModule (for jetty). With policy A you
could use any flag but with policy B you could not use REQUIRED or
REQUISITE.
I'm confused. Thoughts?
thanks
david jencks
Re: Login module question.... advice needed
Posted by Jack Cai <gr...@gmail.com>.
By JAAS's design there is only one CallBackHandler in one LoginContext, so
it's better to write a CallBackHandler that can handle both CallBack here.
I write a small test case to test RI's behavior. It also implements B.
-Jack
On Sun, Aug 2, 2009 at 7:31 AM, David Jencks <da...@yahoo.com> wrote:
> I found another aspect of LoginModules to get confused about, see
> https://issues.apache.org/jira/browse/GERONIMO-4781..
>
> What should a login module login method do if the callback handler doesn't
> recognize its callbacks and throws an UnsupportedCallbackException?
>
> A. return false, on the grounds that not enough info was obtained to
> successfully authenticate, so the result of this login module should be
> ignored for determining if login was successful. Since we didn't get enough
> information to try to authenticate, we can't claim authentication failed.
>
> B. throw a LoginException, because authentication failed.
>
> Currently we implement B.
>
> This is currently a possible issue because (see
> https://issues.apache.org/jira/browse/GERONIMO-4779) client cert auth in
> jetty uses name and password callbacks but in tomcat it uses a ClientCert
> callback. To construct a security realm that would work with either one you
> can use a CertificateChainLoginModule (for tomcat) and a
> PropertiesFileNoPasswordLoginModule (for jetty). With policy A you could
> use any flag but with policy B you could not use REQUIRED or REQUISITE.
>
> I'm confused. Thoughts?
>
> thanks
> david jencks
>
>