Skip to main content

Setting Principal In Custom Login Module

7 replies [Last post]
unistd_h
Offline
Joined: 2010-07-04

Hi All,

I'm attempting to write a custom login module which extends javax.security.auth.spi.LoginModule

My module currently authenticates the user successfully, but the commit method which sets the principal does not appear to be working. To keep it simple, the method has the following body:

Principal p = new MyCustomPrincipal("testuser");
subject.getPrincipals().add(p);
return true;

Commit is definitely being called, but my calls to request.getUserPrincipal() or request.getRemoteUser(), from a servlet are returning null.

I've also tried setting the principal within my server auth module (ServerAuthModule), but I get the same result.

Is there some other step or requirement I'm missing to set a custom principal when using a custom login module for glassfish (2.1.1)?

Thanks

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
mancinis
Offline
Joined: 2004-10-22

Hi,

I'm having a similar problem trying to write a Form based SAM module.
When I try to access a protected resource I'm redirected to the login page and authenticating correctly I can access the resource. The problem arise if I try to access another protected resource (or again the first one) because I'm redirected again to the login page.
Surely my SAM module is not handling correctly the authentication process can you provide a sample or a link to detailed information

Thanks

Stefano

jszczepankiewicz
Offline
Joined: 2008-01-17

maybe you should read info in:

http://forums.java.net/jive/message.jspa?messageID=386382

the trick is to save / restore principal information between subsequent requests, one of the option suggested is:

"In Glassfish, a SAM may instruct the container to register the authentication state (with the session machinery), by adding the following flag to the MessageInfo map.

"com.sun.web.RealmAdapter.register""

mancinis
Offline
Joined: 2004-10-22

Hi,

I've added the flag "com.sun.web.RealmAdapter.register" in the MessageInfo map
but it didn't worked, maybe It's missing something else.

Anyway now I'm saving and restoring the Subject information between subsequent request in the SAM module and It's working fine.

Thanks for the suggestion

nasradu8
Offline
Joined: 2009-09-03
unistd_h
Offline
Joined: 2010-07-04

Hello nasradu8, thanks for the response.

I must say, I came across your blog post earlier today and it was very helpful and like to say thanks. I actually plugged your implementation into my container and was able to get it working fairly easily. The issue I do have however, is casting the principal that I get out of the request to my custom principal. It appears that the custom principal set in the LoginModule gets turned into a com.sun.web.security.WebPrincipal somewhere along the way which will not allow me to cast back to my custom principal.

This brings me to two questions:

1) I am implementing form based authentication compared to your basic authentication example. Either there is something wrong with my implementation (most likely) or there is something different/unique between a custom authentication module for form based authentication and basic authentication. If there should be no differences or obstacles between the two, then I should be able to get my implementation working by following your code example. Do you know of any differences between the two that would be causing me issues or should I just look more at the code?

2) Is there a way to replace the com.sun.web.security.WebPrincipal or use another technique (maybe a servlet filter) that will allow me to access my custom principal from a servlet? I am trying to keep this as not tied to a specific container as possible, and not have to resort to servlet filters if possible. One possible solution I've toyed with is just storing my custom principal in the user's session and just providing documentation on how to access it. I need a few additional attributes, like organization that seem like they fit into the principal/authentication scheme best, which is why I'm trying to accomplish this at this layer.

Again, thanks for the reply and your blog entry.

Kumar Jayanti

glassfish@javadesktop.org wrote:
> Hello nasradu8, thanks for the response.
>
> I must say, I came across your blog post earlier today and it was very helpful and like to say thanks. I actually plugged your implementation into my container and was able to get it working fairly easily. The issue I do have however, is casting the principal that I get out of the request to my custom principal. It appears that the custom principal set in the LoginModule gets turned into a com.sun.web.security.WebPrincipal somewhere along the way which will not allow me to cast back to my custom principal.
>
> This brings me to two questions:
>
> 1) I am implementing form based authentication compared to your basic authentication example. Either there is something wrong with my implementation (most likely) or there is something different/unique between a custom authentication module for form based authentication and basic authentication. If there should be no differences or obstacles between the two, then I should be able to get my implementation working by following your code example. Do you know of any differences between the two that would be causing me issues or should I just look more at the code?
>
>
Implementing Form based Auth with a SAM is slightly different than that
of Basic Auth. If you need a sample SAM that uses FORM based auth let us
know we can send it to you.
> 2) Is there a way to replace the com.sun.web.security.WebPrincipal or use another technique (maybe a servlet filter) that will allow me to access my custom principal from a servlet? I am trying to keep this as not tied to a specific container as possible, and not have to resort to servlet filters if possible. One possible solution I've toyed with is just storing my custom principal in the user's session and just providing documentation on how to access it. I need a few additional attributes, like organization that seem like they fit into the principal/authentication scheme best, which is why I'm trying to accomplish this at this layer.
>
>
Pluggability of the Principal Class is a planned item . See SEC-011 in
the page :
http://wiki.glassfish.java.net/Wiki.jsp?page=3.1NewSecurityFeatures

However we are not addressing it for V3.1 due to lack of resources. You
may want to continue with the custom ideas that you suggest above for now.
> Again, thanks for the reply and your blog entry.
> [Message sent by forum member 'unistd_h']
>
> http://forums.java.net/jive/thread.jspa?messageID=476813
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

unistd_h
Offline
Joined: 2010-07-04

Thanks for all the help nasradu8. I'll contact you via email regarding the form based SAM.

For the SEC-011 filing, is that link to the notes supposed to be publicly accessible?
http://wikihome.sfbay.sun.com/security/attach/V3.1%2Fwebprincipal.txt isn't found.

If so, could you post a link to these notes, I'm curious.

Thanks.