JAAS is a framework which provides pluggable authentication and authorization module which can be plugged in any applicaiotn at any time. Most of my notes are related to implementation of jaas in jboss.
JAAS has 2 parts: authentication and authorization.
Authentication means has the user been authneticated with username and password and can now access the applicaiton.
Authorization means is the user authorized to access this resource. So, depending on the role the access to resources can be controlled.
Advantages of using JAAS:
1. Its a pluggable module. i.e. the applicaiton authentication module can be plugged in and out as and when required.
2. It is very easy to update the authorization part i.e. if tomorrow a new role is added, it can be easily plugged in.
Dis-advantages of JAAS:
1. It is sometimes quite cumbersome to handle and maintain the application authentication modules.
2. In JAAS, authentication and authorization modules are tightly coupled i.e. its is difficult (not impossible) to plug out the two and use them individually.
3. It does not provide in-page level control i.e. the links display in a page can not be controlled.
Implementation of JAAS in Jboss:
We will implement database based authentication and role based authorization.
Steps to implement JAAS based authentication and authorization:
1. Update login-config.xml to have the following entry: (login-config.xml can be found in $JBOSS_HOME/server/<deploy_dir>/conf folder)
<application-policy name="PolicyConfigurationName">
<authentication>
<login-module code="com.custom.CustomLoginModule" flag="required">
<module-option name="dsJndiName">java:/trxDB</module-option>
<module-option name="hashAlgorithm">SHA-1</module-option>
<module-option name="principalsQuery">select password from user_table where username=?</module-option>
<module-option name="rolesQuery">select role_name, 'Roles' from roles, user_table where upper(user_table.username)=upper(?)</module-option>
</login-module>
</authentication>
</application-policy>
The policy name is defined as PolicyConfigurationName.
The custom implementation of the authentication module is provided in the class CustomLoginModule.
The data-source is java:/trxDB.
The hashing for the password is SHA-1.
The principals query should take user name as the parameter and should return the password.
The roles query should return the role of the user and the user group given the username.
2. Implementation of the CustomLoginModule (this code wil nto compile since some parts are missing):
package com.custom.CustomLoginModule;
import org.jboss.security.auth.spi.DatabaseServerLoginModule;
/**
* Date: Apr 5, 2006
* Time: 9:49:05 PM
*/
public class CustomLoginModule extends DatabaseServerLoginModule /** Our this jboss class does the job for us**/{
private String hashAlgorithm;
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
hashAlgorithm = (String) options.get("hashAlgorithm");
}
public boolean login() {
try {
return super.login(); // returns true if login succeeds
}
catch (LoginException e) {
// Login failed. Handle this and add error messages if required.
e.printStackTrace();
}
return false;
}
protected String createPasswordHash(String username, String password) {
//create the hashed string as you want it to be ...
return hashedString;
}
public boolean validatePassword(String inputPassword, String expectedPassword) {
// handle the validation as you want
}
}
3. Configuring the application to use the above configured jboss:
Update jboss-web.xml to the following (apart from the other tags which you want). The policy name used in step 1 should be used here.
jboss-web.xml
<jboss-web>
<!-- Specify the security domain for authentication/authorization and
require that the domain's cache be flushed when the session invalidates.
-->
<security-domain flushOnSessionInvalidation="true">java:/jaas/PolicyConfigurationName</security-domain>
</jboss-web>
Now the authentication module is in place.
To place the authorization module in place, its a simple web.xml change. The following tags need to be added in web.xml as shown:
<!--individual servlets can also be protected using the following -->
<security-role-ref>
<role-name>Administrator</role-name>
<role-link>Administrator</role-link>
</security-role-ref>
</servlet>
..
...
....
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>Sample application </web-resource-name>
<!--add as many resources you want to protect-->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/test/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrator</role-name>
<role-name>User</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<!--specfiy the login page i.e. the page where you want JAAS to redirect-->
<form-login-page>/login.jsp</form-login-page>
<!--specify the error page is the login fails -->
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
<!--define the roles here -->
<security-role>
<role-name>Super Administrator</role-name>
</security-role>
<security-role>
<role-name>Administrator</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
Last and the final step to configure the authentication part of JAAS:
Use the following part in your login.jsp to authenticate the user:
<form action="/context/j_security_check"> <!--this resource will be disbaled once the user is authenticated.-->
<input type="text" name="j_username" id="j_username"/>
<input type="password" name="j_password" id="j_password"/>
<input type="submit" value="Submit"/>
</form>