-
1. Re: Using database for authorization ONLY?
barramundi Feb 18, 2008 1:32 AM (in response to tresspicher)Try to set under the database login module to bypass authentication
<module-option name="password-stacking">useFirstPass</module-option>
If this doesn't work, then you've to modify the db login module to only lookup roles and skip authentication -
2. Re: Using database for authorization ONLY?
tresspicher Feb 21, 2008 11:53 PM (in response to tresspicher)Thanks, that was very useful and exactly what I was looking for. Unfortunately, if I remove the Roles parameters from the LdapExtLoginModule configuration, the login fails. Is there any straightforward way to use LdapExtLoginModule for only the authentication portion of the login and to delegate all role assignment to the DatabaseServerLoginModule? Will I need to modify LdapExtLoginModule? If so, can you give me some pointers for doing so?
If there is a better solution, I would also like to hear your suggestions. In our particular setup, the user names and passwords are part of a huge company-wide server. We have specific roles we need that will be used by a tiny subset of the company so modifying the LDAP server is not an option. We want to use the company's LDAP server for username/password verification, but use our own database to assign roles.
I am desperately hoping for a response. I need to get this working in the next 2 days or I'm in trouble. -
3. Re: Using database for authorization ONLY?
barramundi Feb 22, 2008 4:21 AM (in response to tresspicher)If i remember well. when the LdapExtLoginModule flag = "optional"
the login will not fail as long as your next login module works to return the roles.
Of course your next module's flag need to be 'required'
If you really have to modify the ldap login module, just modify the LdapExtLoginModule's getRoleSets() method to return a dummy blank set. -
4. Re: Using database for authorization ONLY?
tresspicher Feb 22, 2008 12:37 PM (in response to tresspicher)Thank you so much. You have been very helpful.
-
5. Re: Using database for authorization ONLY?
sfisque Jul 25, 2008 3:26 PM (in response to tresspicher)how did you achieve this? i am trying to do a similar thing:
1) attempt authentication via LDAP (using LdapExtLoginModule).
2) if failure, attempt authentication against the database (for "special case users" ) (using DatabaseServerLoginModule)
3) load the roles from the database regardless of which authentication succeeded.
i have the following login-config:
<application-policy name = "dual-auth">
<login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule"
flag = "optional">
<module-option name="baseCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
<module-option name="bindDN">cn=admin,dc=psr,dc=kryptiq,dc=com</module-option>
<module-option name="bindCredential">secret00/module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">dc=psr,dc=kryptiq,dc=com</module-option>
<module-option name="roleAttributeIsDN">false<module-option>
<module-option name="roleAttributeID">role</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/jdbc/PSR</module-option>
<module-option name = "principalsQuery">SELECT PASSWORD as PASSWD FROM APP_USER WHERE LOGIN=?</module-option>
<module-option name = "rolesQuery">SELECT APP_PERMISSION.NAME as ROLEID, 'Roles' FROM APP_USER, APP_USER_ROLE, APP_ROLE_PERMISSION, APP_PERMISSION WHERE APP_USER.LOGIN=? AND APP_USER.ID = APP_USER_ROLE.USER_ID AND APP_USER_ROLE.ROLE_ID = APP_ROLE_PERMISSION.ROLE_ID AND APP_ROLE_PERMISSION.PERMISSION_ID = APP_PERMISSION.ID</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</application-policy>
if i comment out the LDAP part, it works fine for the "special case user" who exists only in the database. if i have both activated, the "special case user" never authenticates to my web-service (it is an ejb3 endpoint exposed via @WebService and @SecurityDomain annotations).
i made sure the "required" and "optional" flags are set and the "password-stacking" option is set. what else am i missing or is this setup not going to achieve what i need? does the "special" case user need to exist in the LDAP directory? i was under the impression that "optional" meant it would fail quietly and defer to later modules.
== stanton