JAAS Authentication Overview |
PROIV Aurora Help |
JAAS Authentication
PROIV uses JAAS (Java Authentication and Authorisation Service) to determine whether users can log on, and what components they can use when they are logged on. JAAS is a Java security framework specifically for user-centric security, which enhances and augments the Java code-based security and allows the deployer a choice of authenticators.
You can use the following resources for more information about JAAS or refer to JAVA documentation on internet.
-
http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
-
http://docs.codehaus.org/display/JETTY/JAAS - explains JAAS configuration for Jetty
-
http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module - explains JAAS configuration for Tomcat
PROIV Aurora provides three pluggable authenticator options:
-
JAAS Login Module
-
Authenticator Interface
-
PROIV Authenticator Task
JAAS LoginModule
The JAAS LoginModule describes the interface implemented by authentication technology providers. Different kinds of authentication technologies can be plugged in under an application. A Configuration implementation specifies the LoginModule(s) to be used with a particular login application and they can be plugged in without requiring application changes.
The Configuration specifies which LoginModules can be used for a particular application, and in what order the LoginModules are invoked. It passes the file path to the application server and includes the class name of the LoginModule. You can also pass other name value pairs in the configuration file, these values must be in quotes.
Example syntax of a login configuration is as follows:
Application {
ModuleClass Flag ModuleOptions;
ModuleClass Flag ModuleOptions;
ModuleClass Flag ModuleOptions;
The following example is a login configuration that passes in JDBC configuration information:
// Application (appName)
Aurora {
// Module Class // flag
com.northgatearinso.aurora.authentication.PGAuroraLoginModule required
// Options
debug=?true?
dbDriver="org.postgresql.Driver"
dbUrl="jdbc:postgresql://localhost:5532/aurora"
dbUsername="postgres"
dbPassword="postgres"
dbTable="Users"
usernameField="Username"
passwordField="Password"
log_level="ALL";
};
The LoginModule Flag value controls the overall behaviour as authentication proceeds down the stack. The following table outlines the valid values and their purpose:
Value Descriptions
Value |
Description |
Required |
The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. |
Requisite |
The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list). |
Sufficient |
The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. |
Optional |
The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. |
In the source code of the LoginModule, the database information is used to create a connection, and query the database with the username and password entered in the login form. If the passwords match, a new AuroraUserPrincipal is created and the user is logged into the system.
The LoginModule is explained in further detail on the Oracle website. Refer to Oracle documentation for more information.
Authenticator Interface
PROIV Aurora exposes an authentication interface that enables you to provide your own implementation.
The interface has one method:
Principal authenticate(final String username, final String password);
The implementation must be added into the WEB-INF/lib folder if packaged as a JAR file, or in the WEB-INF/classes folder if not.
The aurora.authenticator.class entry in the aurora.properties file must be updated with the full name of the new authenticator implementation.
PROIV Authenticator Task
PROIV Aurora ships with a fully configured PROIV Task for you to use: TK_AU_Authenticator. It passes two parameters into PROIV (username and password) and expects one parameter back (status). For more information, please refer to TK_AU_Authenticator topic.
Related Topics
Topic ID: 810009