geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack Cai <greensi...@gmail.com>
Subject Re: Login module question.... advice needed
Date Mon, 03 Aug 2009 03:52:41 GMT
By JAAS's design there is only one CallBackHandler in one LoginContext, so
it's better to write a CallBackHandler that can handle both CallBack here.

I write a small test case to test RI's behavior. It also implements B.

-Jack

On Sun, Aug 2, 2009 at 7:31 AM, David Jencks <david_jencks@yahoo.com> wrote:

> I found another aspect of LoginModules to get confused about, see
> https://issues.apache.org/jira/browse/GERONIMO-4781..
>
> What should a login module login method do if the callback handler doesn't
> recognize its callbacks and throws an UnsupportedCallbackException?
>
> A.  return false, on the grounds that not enough info was obtained to
> successfully authenticate, so the result of this login module should be
> ignored for determining if login was successful.  Since we didn't get enough
> information to try to authenticate, we can't claim authentication failed.
>
> B. throw a LoginException, because authentication failed.
>
> Currently we implement B.
>
> This is currently a possible issue because (see
> https://issues.apache.org/jira/browse/GERONIMO-4779) client cert auth in
> jetty uses name and password callbacks but in tomcat it uses a ClientCert
> callback.  To construct a security realm that would work with either one you
> can use a CertificateChainLoginModule (for tomcat) and a
> PropertiesFileNoPasswordLoginModule (for jetty).  With policy A you could
> use any flag but with policy B you could not use REQUIRED or REQUISITE.
>
> I'm confused.  Thoughts?
>
> thanks
> david jencks
>
>

Mime
View raw message