Its been quite a while I'm stuck with this.I've wriiten my own login module XtrLdapLoginModule which implements the javax.security.auth.spi.LoginModule
to authenticate users against three credentials viz. username, password and account. I couldn't use the LdapExtLoginModule cause it wouldn't help me authenticate against a particular account. So this login module communicates with the ldap server and authenticates and authorizes the user.
I have defined a policy in login-config.xml
which mentions the above login module along with ClientLogin module of jboss (As per my knowledge, ClientLogin is required to propogate credentials into the EJB tier from web tier and it worked pretty well with other LoginModules)
And I use the org.jboss.security.client.SecurityClient
to do the login from servlet.
I have defined my own CredentialsCallbackHandler
which handles UserNameCallback,PasswordCallback and TextInputCallback (to capture account name from user).
All these things work fine. The Subject I receive in the Servlet has the required roles as well. But when I try to access any secured method from my Stateless bean which has role based access, my loginmodule is invoked once again and tries to re-authenticate! Thats one issue and secondly the second time, it throws UnsupportedCallbackExcpetion which,I reckon , is thrown when the handler tries to handle the TextInpuCallback.
The re-authentication does not take place if I use Jboss's login modules (eg: LdapExtLoginModule). When I checked the server.log, i noticed that when I'm using my own custom module, the log shows
2010-10-01 18:04:19,743 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) Begin isValid, principal:admin, cache info: null
2010-10-01 18:04:19,743 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) defaultLogin, principal=admin
While, If I use LdapExtLoginModule, the entry is
2010-09-29 19:05:47,243 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) Begin isValid, principal:admin, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@12cc4c[Subject(4801549).principals=org.jboss.security.SimplePrincipal@10293758(admin)org.jboss.security.SimpleGroup@32111280(Roles(members:Admin)),credential.class=[C@18396898,expirationTime=1285768211655]
2010-09-29 19:05:47,243 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@12cc4c[Subject(4801549).principals=org.jboss.security.SimplePrincipal@10293758(admin)org.jboss.security.SimpleGroup@32111280(Roles(members:Admin)),credential.class=[C@18396898,expirationTime=1285768211655];credential.class=[C@18396898
2010-09-29 19:05:47,243 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) End validateCache, isValid=true
2010-09-29 19:05:47,243 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.eazypractice] (http-127.0.0.1-8080-1) End isValid, true
2010-09-29 19:05:47,244 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-1) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=admin;method=securedMethod;
2010-09-29 19:05:47,245 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2010-09-29 19:05:47,245 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-1) method=public java.lang.String xtremum.health.api.bean.AccountBean.securedMethod(), interface=Local, requiredRoles=Roles(Admin,)
2010-09-29 19:05:47,246 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-1) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@170a25e}:method=public java.lang.String xtremum.health.api.bean.AccountBean.securedMethod():ejbMethodInterface=Local:ejbName=AccountBean:ejbPrincipal=admin:MethodRoles=Roles(Admin,):securityRoleReferences=null:callerSubject=Subject:
Principal: admin
Principal: Roles(members:Admin)
Hence the EJB tier happily accepts the user and allows access to the method.
What m I doing wrong? Is it normal to re-authenticate the user before accessing EJB tier methods? And if it is, then how do I go about the UnsupportedCallbackException? [Sorry if that was too descriptive! I tried my best to keep it short! :) ]