JAAS Custom Login Module with Wildfly

1
votes

I'm trying to develop a custom JAAS login module, which consumes a token and get's the user data from different sources. It should work as an authentication realm for wildfly 8.2.1 final. I've got a test servlet in which I want to authenticate so the allowed roles for a injected EJB is checked.

The test from this site: http://www.radcortez.com/custom-principal-and-loginmodule-for-wildfly/ In fact I even started with his git project.

Because I only use a token, I can not use request.login(username, password) to initiate the wildfly login process. So I tried this:

@Inject
private SampleEJB sampleEJB;

...

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String token = request.getParameter("token");
    try{
        context = new LoginContext("TokenLoginDomain", new TokenCallbackHandler(token));
        context.login();
    }catch(Exception e){
        e.printStackTrace();
    }

    response.getWriter().println("username=" + exampleEJB.getPrincipalName());
}

My EJB looks like this:

@Stateless
public class SampleEJB {
    @Resource
    private EJBContext ejbContext;

    @RolesAllowed("partner")
    public String getPrincipalName() {
        return ejbContext.getCallerPrincipal().getName();
    }
}

How do I start the login process without credentials in a servlet, so the user is logged in as wildfly user?

1
servletsejbwildflyjaasuser-roles

1 Answers

3
votes

You can't authenticate that way in Java EE. With the given code you'll only be authenticated within the LoginContext instance.

As you already found out request.login(username, password) triggers the authentication process, but it's limited to the username/password credential.

In this case you should not only write a custom LoginModule (identity store), but a custom authentication mechanism as well. Authentication mechanisms are the controllers so to speak in the authentication process, while the identity store is the model.

Custom authentication mechanisms can be added via the JASPIC SPI, which WildFly supports well.

You can register a ServerAuthModule (SAM) from the app with some utility code that you can copy from here: https://github.com/arjantijms/glassfish-sam-ee-namespaces/tree/master/src/main/java/javax/security/authenticationmechanism

Then actually register the SAM with code as shown here:

https://github.com/arjantijms/glassfish-sam-ee-namespaces/blob/master/src/main/java/test/SamAutoRegistrationListener.java