C.2. Client-Side JAASTo use JAAS from an external client, we need to take the following steps:
C.2.1. External Client Application that Uses JAASThe following code snippet shows how an external application would use JAAS authentication, assuming that the user already entered his username and password. We first instantiate an application-specific CallbackHandler implementation, MyPassiveCallbackHandler, with the userName and password. We then create the JAAS LoginContext by using the application name along with our CallbackHandler. The "Client-JBossAtWorkAuth" application name comes from the LoginModule Configuration filesee the "Client-Side LoginModule Configuration" section for details. The LoginContext's login( ) method then authenticates the user. If login( ) tHRows a LoginException, then the logon process failed. If the logon succeeds, the application calls the code the user is allowed to access, as in Example C-3. Example C-3. Sample external clientimport javax.security.auth.login.*; import javax.security.auth.*; import java.security.*; ... try { MyPassiveCallbackHandler myCallbackHandler = null; // Set Security Association CallbackHandler-specific settings myCallbackHandler = new MyPassiveCallbackHandler(userName, password); // Get Login Context (NOTE: Client-JBossAtWorkAuth is the application // name in the client-auth.conf LoginModule Configuration file) System.out.println("Creating the JAAS Login Context"); LoginContext loginContext = new LoginContext("Client-JBossAtWorkAuth", myCallbackHandler ); // Login System.out.println("Logging in as user [" + userName + "]"); lc.login( ); // Protected code goes here. } catch (LoginException le) { System.out.println(le.getMessage( )); } We've now written the core client code and the CallbackHandler, but there's still a little more work to do before we can run the client. We need to take the following steps:
C.2.2. Client-Side LoginModule ConfigurationWe have to configure a client-side LoginModule in Example C-4 so the client application can instantiate a LoginContext. Example C-4. client-auth.confClient-JBossAtWorkAuth { org.jboss.security.ClientLoginModule required; }; When called by the client application, the LoginContext's constructor reads this LoginModule Configuration file to set up a JBoss-specific JAAS LoginModule that communicates with the JBoss server. The application then uses the LoginContext to log on to the JBoss server using JAAS. C.2.3. J2SE Security Policy FileThe Security Policy File in Example C-5 gives the client the privileges it needs to use the JAAS API. Example C-5. security.policygrant codeBase "file:.${/}-" { permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "getSubject"; java.util.PropertyPermission "read"; java.security.auth.debug "read"; }; The javax.security.auth.AuthPermission settings in this file grant permissions to:
The java.util.PropertyPermission setting enables the client to read Properties files, and the java.security.auth.debug setting enables the client to read the java.security.auth.debug System propertysee the next section for details. C.2.4. Setting the Client CLASSPATHThe client requires the following CLASSPATH settings to run properly: java -classpath.;$JBOSS_HOME/client/jbosssx-client.jar \ -Djava.security.manager \ -Djava.security.policy="security.policy" \ -Djava.security.auth.policy="security.policy" \ -Djava.security.auth.login.config="client-auth.conf" \ -Djava.security.auth.debug="all" com.jbossatwork.client.JaasClient The jbosssx-client.jar contains the JBoss JAAS client-side classes, and the java.security.manager System property tells the JVM to use a security policy file. The java.security.policy and java.security.auth.policy System properties tell the Java Security Manager to use our security policy file, security.policy. The java.security.auth.login.config System property tells the Java Security Manager to use our client-side LoginModule Configuration file, client-auth.conf. To check for any client-side configuration problems, we turn on JAAS debug options by specifying the java.security.auth.debug System Property. Here are some of the valid values for java.security.auth.debug:
We're setting java.security.auth.debug to all so we can see everything. You can turn this setting off later on if you'd like. |