geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack Cai <>
Subject Re: Login module question.... advice needed
Date Mon, 03 Aug 2009 03:52:41 GMT
By JAAS's design there is only one CallBackHandler in one LoginContext, so
it's better to write a CallBackHandler that can handle both CallBack here.

I write a small test case to test RI's behavior. It also implements B.


On Sun, Aug 2, 2009 at 7:31 AM, David Jencks <> wrote:

> I found another aspect of LoginModules to get confused about, see
> What should a login module login method do if the callback handler doesn't
> recognize its callbacks and throws an UnsupportedCallbackException?
> A.  return false, on the grounds that not enough info was obtained to
> successfully authenticate, so the result of this login module should be
> ignored for determining if login was successful.  Since we didn't get enough
> information to try to authenticate, we can't claim authentication failed.
> B. throw a LoginException, because authentication failed.
> Currently we implement B.
> This is currently a possible issue because (see
> client cert auth in
> jetty uses name and password callbacks but in tomcat it uses a ClientCert
> callback.  To construct a security realm that would work with either one you
> can use a CertificateChainLoginModule (for tomcat) and a
> PropertiesFileNoPasswordLoginModule (for jetty).  With policy A you could
> use any flag but with policy B you could not use REQUIRED or REQUISITE.
> I'm confused.  Thoughts?
> thanks
> david jencks

View raw message