I protected one of my EJBs (rich client/swing client - server environment)
with a custom loginmodule by specifying an as-context in the
glassfish-ejb-jar.xml.
On the server site I created (in domain.xml) realm which points to the proper
login module (and custom Realm extending AppservRealm) specified in the
login.cong of my domain by the jaas-context property.
In login.conf I have something like:
customRealm { com.company.MyCustomLoginModule required; };
This all works fine but now I want to add the LDAP login module
(com.sun.enterprise.security.auth.login.LDAPLoginModule) as an alternative
loginmodule next to my custom module. Users should be able to get
authenticated either by my custom module or the LDAP loding module, only one
of those modules is required, not both. So I changed my login.conf to
customRealm { com.company.MyCustomLoginModule sufficient;
com.sun.enterprise.security.auth.login.LDAPLoginModule sufficient; }
I also added all the required properties for the LDAP module in domain.xml
which now looks like:
....
<auth-realm name="MyCustomRealm" classname="com.company.MyCustomRealm">
<property name="jaas-context" value="customRealm"></property>
<property name="directory" value="ldap://myldaphostname:3268"></property>
....
</auth-realm>
However this doesn't work. When looking at the LDAP login module's
implementation (see references below) it seems that this module heavily
depends on its own realm class (the actual authentication is performed in the
realm class and not in the login module class). The LDAP login module just
doesn't work when used with another realm class.
This problem can be easily solved by changing the auth-realm tag in
domain.xml to:
<auth-realm name="MyCustomRealm"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
Now everything works as expected (since my custom module doesn't require it's
own realm class)
Although I got this working this however doesn't seem correct to me at all.
You can only specify one realm class when protecting an EJB in your
domain.xml. If every login module was implemented like the LDAP login module
and required it's own realm class to work properly, you wouldn't be able to
combine multiple loginmodules as I did. Since only one module would find it's
realm class and all the others would fail since their realm class wouldn't be
present.
So my question is: Did I just get this all wrong and did I
achieved(configured) my goal in the wrong way or is the LDAP login module
implementation indeed incorrecty implemented or at least limiting our
options.
*References:*
LDAPRealm.java:
http://java.net/projects/glassfish/sources/svn/content/tags/3.1.1/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java?rev=48597
LDAPLoginModule:
http://java.net/projects/glassfish/sources/svn/content/tags/3.1.1/security/core/src/main/java/com/sun/enterprise/security/auth/login/LDAPLoginModule.java?rev=48597
[1]
[1]
http://java.net/projects/glassfish/sources/svn/content/tags/3.1.1/security/core/src/main/java/com/sun/enterprise/security/auth/login/LDAPLoginModule.java?rev=48597
--
[Message sent by forum member 'snelders']
View Post: http://forums.java.net/node/829818