Beruflich Dokumente
Kultur Dokumente
This tutorial describes how a developer can write a custom JAASTM LoginModule for using an LDAP authentication data store along with a Java TM 2 Platform, Enterprise Edition (J2EETM) application. The tutorial includes a sample implementation of a LDAP based LoginModule which is downloadable as jaastutorial.zip. The archive contains: 1. jaastutorial.jar 2. jaasclient.jar 3. jaastutorial.bat 4. jaastutorial.sh 5. login.cfg The following products were used in creating this tutorial: 1. Pramati Server 3.0 2. Pramati Studio 3.0 3. OpenLDAP 2.0.18 The following specifications apply to this tutorial: 1. Java Authentication and Authorization Service TM 1.0 2. Java TM 2 Platform, Enterprise Edition 1.3 3. Lightweight Directory Access Protocol 3.0
W hy JAAS in J2EE J2EE m ode l: role s, use rs and JAAS W riting the JAAS se curity m odule Ste p 1: W riting the LoginModule initialize () m e thod login() m e thod com m it() m e thod abort() m e thod logout() m e thod Ex ce ptions thrown by LoginModule m e thods Ste p 2: W riting the C allBack Handle r Ste p 3: C onfiguring the J2EE application Ste p 4: Pack aging the LoginModule along with application Ste p 5: Inte grating the LoginModule with the J2EE se rve r Sam ple LDAP-base d LoginModule Installing and configuring the O pe nLDAP Se rve r LDAP param e te rs for LoginModule and Use r Manage r C onfiguring LoginModule with Pram ati Se rve r C onfiguring the Use r Manage r C re ating use rs and role s from the Use r Manage r Se tting the clie nt classpath R unning the sam ple Sum m ary
One of the limitations of J2EE Version 1.2 platform was it did not provide application developers with a standard route to integrating the application server realm with existing or custom security infrastructures. J2EE Version 1.3 now solves that with the inclusion of Java Authentication and Authorization Service (JAAS) framework. J2EE application servers that implement JAAS provide enterprise application developers with the standard Login Module API for tapping custom or legacy security systems from their applications. While application developers write to the LoginModule API (specifically, LoginC ontext API), the application server implements the LoginModule interface. The standards-based LoginModule interface gives J2EE developers the freedom to tap a variety of information sources that use Java Database C onnectivity, the lightweight directory access protocol (LDAP) or Shared File Systems to store authentication data - without requiring them to modify the application code. Indeed, there are increasing number of scenarios where J2EE application developers wish to tap custom authentication repositories from their applications. They would do this by writing a Login Module, packaging it along with their application and distributing to target J2EE application servers in a prescribed way. Read more on the limitations in the J2EE 1.2 Security Model.
How LoginModule he lps application role s and groups m ap to authe ntication data store d in a custom re pository such as LDAP.
www.pramati.com/docstore/1270002/index.htm
2/8
(L o g i n C o n t e x t API) that enables client to pass authentication data to the server the server and application
C a l l B a c k H a n d l e r interface
3. C onfiguring the
L o g i n M o d u l e and C a l l B a c k H a n d l e r with
4. Packaging the application along with module classes 5. Integrating the LoginModule with the application server Read more on Standalone JAAS versus JAAS in the J2EE Model.
demonstrate how to test the LDAP LoginModule sample in a typical J2EE application server environment. This is how the LoginModule implementation class is defined:
p u b l i cc l a s sL D A P L o g i n M o d u l ei m p l e m e n t sL o g i n M o d u l e
The standard JAAS packages required by this class are imported as shown here:
i m p o r tj a v a x . s e c u r i t y . * ;
Standards methods in the LoginModule that must be implemented are: 1. 2. 3. 4. 5.
i n i t i a l i z e ( ) l o g i n ( ) c o m m i t ( ) a b o r t ( ) l o g o u t ( )
initialize()
The initialize method does the following: 1. Sets configurations required by the LoginModule 2. C ollects login information that is encapsulated in the C allBackHandler 3. Initializes and instantiates all configuration parameters for this instance of the LoginModule The client instantiates the LoginC ontext object and passes a C allBackHandler instance with the user name and password. When the LoginC ontext object is instantiated, the initialize() method of the LoginModule is triggered.
login()
This method returns a boolean variable, which is true if the authentication information provided is valid. The login method performs the following tasks: 1. Fetches the login information 2. Authenticates the user The login information is fetched using the C allBackHandler. The code that does this is shown here:
tries to connect to the server using the login information that is fetched. If the connection is
established, the method returns the value true. The following code snippet shows this:
b o o l e a nv e r i f i c a t i o n = f a l s e ; t r y { p r o p s . p u t ( C o n t e x t . S E C U R I T Y _ P R I N C I P A L , c b U s e r N a m e ) ; p r o p s . p u t ( C o n t e x t . S E C U R I T Y _ C R E D E N T I A L S , c b P a s s w o r d ) ; c t x=n e wI n i t i a l D i r C o n t e x t ( p r o p s ) ; v e r i f i c a t i o n = t r u e ; } r e t u r nv e r i f i c a t i o n ;
This code changes with the actual type of security framework for which the LoginModule is written.
commit() method
This method sets the subject in the session to the username that is validated by the the user is not validated, the
c o m m i t method l o g i n method.
It also
populates the subject with roles specified in the LDAP server (in this tutorial) for that user, and returns true. If returns false. The following code snippet shows this:
i f ( v e r i f i c a t i o n ) { s u b j e c t . g e t P r i n c i p a l s ( ) . a d d ( u s e r N a m e ) ; s u b j e c t . g e t P r i n c i p a l s ( ) . a d d ( r o l e ) ; r e t u r nt r u e ; } e l s er e t u r nf a l s e ; abort() method
This method is used to exit the LoginModule in case of runtime exceptions and is usually triggered by the application server. This method is invoked after the abort() method of LoginC ontext. The application developer must not directly call the abort method of the LoginC ontext interface.
logout() method
This method clears the principal settings of the subject in the session. It removes the privilege settings associated with the roles of the subject. The following code snippet shows this:
According to the JAAS specifications, all LoginModule methods should only throw a LoginException. Any other exception during LoginModule execution should be caught and a LoginException thrown against it. The following code snippet shows how this can be done:
s t a t i cc l a s sM y C a l l b a c k H a n d l e ri m p l e m e n t sC a l l b a c k H a n d l e r { p r i v a t eS t r i n gu s e r n a m e ; p r i v a t eS t r i n gp a s s w o r d ;
The handle() method sets the value of the username and password attributes, passed by the client application, in the LoginModule's C allBackHandler. The following code snippet shows this:
www.pramati.com/docstore/1270002/index.htm
5/8
For this reason, there must be no code-level dependencies in the LoginModule on the J2EE application.
Step 5: Integrating the Login Module with the J2EE Application Server
The deployment process for a LoginModule is unlike J2EE applications and involves configuring the target application server. A J2EE application server organizes its security environment into realms, each of which maps to one or more login modules, and has one or more users and roles defined on it. This differs from application realms, which are associated with security permissions for the application and do not assume the existence of any LoginModule. Integrating a LoginModule with the application server involves the following steps: 1. C onfiguring the server with a realm that uses a specific LoginModule for security authentication. 2. Mapping the application realm and roles to the realm and roles defined by the LoginModule.
the name
m y _ c o m p a n y . r o o t p w as m y _ p a s s w o r d . s l a p d . c o n f file:
3. Disable the schema checks on the LDAP server by adding the following line to the
s c h e m a c h e c ko f f
4. After configuring the LDAP Server with the directory structure, start the server as instructed in the Quickstart Guide.
www.pramati.com/docstore/1270002/index.htm
LDAPUse rSupe rC onte x t For e x am ple , dc=m y_com pany, dc=com LDAPR ole sKe y LDAPSupe rUse rDN sn For e x am ple , cn=m anage r,dc=m y_com pany,dc=com . This re fe rs to the distinguishing nam e of the LDAP supe r use r and is se t by the LDAP adm inistrator.
The LDAP supe r use r password to the se rve r. This is ne e de d LDAPSupe rUse rPassword to allow addition and re m oval of use rs by the LDAP Use r Manage r.
s e t u p . b a t .
s e t u p . b a t from
3. Start the Server and then start the C onsole. 4. Select the Security node in the tree panel on the C onsole and select '+' for adding an LDAP realm. 5. In the View Panel, choose an appropriate server realm name, say, ldap. 6. Add the path to the LoginModule class as com.pramati.security.loginmodules.ldap.LDAPLoginModule. 7. Specify the
F l a g as R e q u i r e d .
8. The Init options require multiple name-value pairs and these are listed as LDAP parameters in the section above.
2. The User Manager needs the same name-value pairs as the LoginModule in the Init Options. After configuring the LoginModule and the UserManager for the LDAP realm, click on Add button to register the LDAP realm with the application server. Ensure that the jaastutorial.jar package is present in the server classpath, before starting the server.
a sample Java client that connects to the LDAP server through Pramati Server. The
client classpath is modified to point to sample classes and files, as well as the server classes required to run the Java client. The
C l i e n t L o g i n S a m p l e and
j a a s c l i e n t . j a r .
classpath. The client requires the location of the Pramati Server and the realm to log in to. This information is stored in a file, login.cfg, which is packaged along with this tutorial. This file must be placed in the client classpath. Edit the
l o g i n . c f g file
c o m . p r a m a t i . r e a l m = " r e a l m : / / 1 2 7 . 0 . 0 . 1 : 9 1 9 1 / l d a p "
The client also requires the following application server packages in its classpath:
j a a s . j a r
www.pramati.com/docstore/1270002/index.htm
7/8
j t a . j a r p r a m a t i _ c l i e n t . j a r s e c u r i t y _ i n t e r o p . j a r
j a a s t u t o r i a l . b a t to
j a a s t u t o r i a l . b a t from
the
by executing:
Summary
The tutorial demonstrated the simplicity with which JAAS provides standards based pluggable security. We saw how a custom LoginModule is written and integrated with a typical standards compliant J2EE application server.
C opyright 2001-2002 Pram ati Te chnologie s. All of the m ate rial in this tutorial is copyright prote cte d and m ay not be publishe d in othe r work s without pe rm ission from Pram ati Te chnologie s. Java and all Java-base d m ark s are trade m ark s or re giste re d trade m ark s of Sun Microsyste m s, Inc. in the Unite d State s and othe r countrie s. All othe r trade nam e s and trade m ark s are the prope rty of the ir re spe ctive owne rs.
www.pramati.com/docstore/1270002/index.htm
8/8