First, let me apologize if I am coming across short. I have been working on this for a while and am extremely frustrated with the amount of time it is taking me to wrap my head around things.
> it is actually quite simple to do this but we can
> leave that for now.
Do you know of any good resources on JSR 196, basically a really good introduction that would lay a foundation that would aid in my understanding how it works. I have found a couple of documents, but they seem a little over my head or at least I am going to have to ponder on it for a while.
> please be specific as to how seam is calling the
> login module. Are we not talking about a login occurring within the
> Glassfish Appserver, in order to authenticate a caller?
From what I understand the seam framework reads the JAAS configuration and performs the authentication itself, bypassing the containers security mechanism to provide its own services based on the JAAS APIs.
In effect, what I was trying to do was configure the GF LdapLoginModule to authenticate against our LDAP directory. I believe that I have the authentication setup correctly in that I can authenticate against the container. However, when seam tries to perform the authentication it continually fails. I believe/know that this is caused by the LdapLoginModule ignoring seam's callback handler. This failure is caused by the fact seam does not know anything about GF and the AppservPasswordModule's reliance on the secure password credential and not the standard JAAS callback.
> before we continue, we need to work out the use
> model. so please make that as clear as possible. I
> though you just wanted to use the seam login module.
> maybe you want to use the seam login module for
> authentication, and the ldap module for group info.
> It would definitely help if you can clarify.
> fwiw, what you write above was not exactly what I was
> recommending. Maybe the difference is due to a
> difference is what I presumed to be the use model,
Most likely not the case, but rather a lack of knowledge on my part. I am not very experienced with App Server security and am trying to learn as much as I can. I would assume that what I wrote is a complete misunderstanding of what you wrote or rather suggested.
> the key problem, imo, is that jaas does not
> differentiate principals within the subject, and we
> need a way for the login module to pass back caller
> and group principals in a form that is compatible
> with the container's representation of the caller and
> group principals.
Again, showing my ignorance, by this I am assuming that you are refering to the fact the users identity principals are intermixed with roles? If this is what you are saying then I definitely agree. I would like to be able to have a login module that could keep track not only of the username, but also be able to return a guid or workforceId (our employee id), but in a method that is different from the roles a user possesses.
Thanks again for the input ... I have a lot more reading to do.
By the way, do you know of any good resources on modern web application security using java (articles, books, courses, etc.) I would like to learn to be proficient in this area, but currently feel a little limited.
-- Chad
[Message sent by forum member 'chadws' (chadws)]
http://forums.java.net/jive/thread.jspa?messageID=275555