geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Login module question.... advice needed
Date Sat, 01 Aug 2009 23:31:17 GMT
I found another aspect of LoginModules to get confused about, see https://issues.apache.org/jira/browse/GERONIMO-4781

..

What should a login module login method do if the callback handler  
doesn't recognize its callbacks and throws an  
UnsupportedCallbackException?

A.  return false, on the grounds that not enough info was obtained to  
successfully authenticate, so the result of this login module should  
be ignored for determining if login was successful.  Since we didn't  
get enough information to try to authenticate, we can't claim  
authentication failed.

B. throw a LoginException, because authentication failed.

Currently we implement B.

This is currently a possible issue because (see https://issues.apache.org/jira/browse/GERONIMO-4779)

  client cert auth in jetty uses name and password callbacks but in  
tomcat it uses a ClientCert callback.  To construct a security realm  
that would work with either one you can use a  
CertificateChainLoginModule (for tomcat) and a  
PropertiesFileNoPasswordLoginModule (for jetty).  With policy A you  
could use any flag but with policy B you could not use REQUIRED or  
REQUISITE.

I'm confused.  Thoughts?

thanks
david jencks


Mime
View raw message