JAAS Authentication Overview

   PROIV Aurora Help

JAAS Authentication

PROIV uses JAAS (Java Authentication and Authorisation Service) to determine whether users can log on, and what components they can use when they are logged on. JAAS is a Java security framework specifically for user-centric security, which enhances and augments the Java code-based security and allows the deployer a choice of authenticators.

You can use the following resources for more information about JAAS or refer to JAVA documentation on internet.

PROIV Aurora provides three pluggable authenticator options:

JAAS LoginModule

The JAAS LoginModule describes the interface implemented by authentication technology providers. Different kinds of authentication technologies can be plugged in under an application. A Configuration implementation specifies the LoginModule(s) to be used with a particular login application and they can be plugged in without requiring application changes.

The Configuration specifies which LoginModules can be used for a particular application, and in what order the LoginModules are invoked. It passes the file path to the application server and includes the class name of the LoginModule. You can also pass other name value pairs in the configuration file, these values must be in quotes.

Example syntax of a login configuration is as follows:

      Application {

      ModuleClass  Flag    ModuleOptions;

      ModuleClass  Flag    ModuleOptions;

      ModuleClass  Flag    ModuleOptions;

The following example is a login configuration that passes in JDBC configuration information:

// Application (appName)

Aurora {  

  // Module Class  // flag

  com.northgatearinso.aurora.authentication.PGAuroraLoginModule required

  // Options

  debug=?true?

  dbDriver="org.postgresql.Driver"

  dbUrl="jdbc:postgresql://localhost:5532/aurora"

  dbUsername="postgres"

  dbPassword="postgres"

  dbTable="Users"

  usernameField="Username"

  passwordField="Password"

  log_level="ALL";

};

The LoginModule Flag value controls the overall behaviour as authentication proceeds down the stack. The following table outlines the valid values and their purpose:

Value Descriptions

Value

Description

Required

The LoginModule is required to succeed.

If it succeeds or fails, authentication still continues to proceed down the LoginModule list.

Requisite

The LoginModule is required to succeed.

If it succeeds, authentication continues down the LoginModule list.  If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).

Sufficient

The LoginModule is not required to succeed.

If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.

Optional

The LoginModule is not required to succeed.

If it succeeds or fails, authentication still continues to proceed down the LoginModule list.

In the source code of the LoginModule, the database information is used to create a connection, and query the database with the username and password entered in the login form.  If the passwords match, a new AuroraUserPrincipal is created and the user is logged into the system.

The LoginModule is explained in further detail on the Oracle website. Refer to Oracle documentation for more information.

Authenticator Interface

PROIV Aurora exposes an authentication interface that enables you to provide your own implementation.

The interface has one method:

Principal authenticate(final String username, final String password);

The implementation must be added into the WEB-INF/lib folder if packaged as a JAR file, or in the WEB-INF/classes folder if not.

The aurora.authenticator.class entry in the aurora.properties file must be updated with the full name of the new authenticator implementation.

PROIV Authenticator Task

PROIV Aurora ships with a fully configured PROIV Task for you to use: TK_AU_Authenticator. It passes two parameters into PROIV (username and password) and expects one parameter back (status). For more information, please refer to TK_AU_Authenticator topic.

Comment on this topic

Topic ID: 810009