problem about JaasAuthenticationProvider

[kakalot]

I made the configuration as the reference told.
<bean id="jaasAuthenticationProvider" class="com.genersoft.platform.security.aa.authenti cation.jaas.JaasAuthenticationProvider">
<property name="loginConfig">
<value>/WEB-INF/security/jaas.config</value>
</property>
<property name="loginContextName">
<value>NamePassword</value>
</property>
<property name="callbackHandlers">
<list>


but It didn't work .
the application raise an exception :
javax.security.auth.login.LoginException: 没有为 NamePassword 配置 LoginModule

in English, it means "No configuration for NamePassword LoginModule"

I change the code of JaasAuthenticationProvider.java
add one statement at the end of the afterPropertiesSet() method:

System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

and then the problem is gone. the LoginModule is created successfully.


I am a beginner on java Security, and I am not sure why the problem occur, and why the problem is solved .
give me some advice please .

by the way , I am useing websphere V5.1

[RayKrueger]

Would it be possible to see the contents of your jaas.conf file please, mainly your NamePassword {} configuration please?

[kakalot]

/** Login Configuration for the JAAS Application **/

NamePassword {
com.genersoft.platform.security.aa.authentication. jaas.login.DaoLoginModule required debug=true;
};


that's all , I just imitate the sample configuration file from sun JAAS Tutorials

[RayKrueger]

You're setting the property java.security.auth.login.config to a url that starts with an = sign. That is invalid as far as I know.

When Jaas gets configured it looks for the "java.security.auth.login.config" system property, which you've set to an invalid url. Then, it looks for any login.config.url.X properties having been set as Security properties.

I think the loop of code that looks for the first available login.config.url.X value to be null and sets it is probably working, and the "java.security.auth.login.config" property you've set is being ignored by Jaas because it's invalid.

Since you're using you're own implementation of the JaasAuthenticationProvider would you mind posting youre afterPropertiesSet method? I am looking at reworking that code anyway now, because the loop thing is kinda lame...

-Ray

[kakalot]

my code is as following:
-------------------------

public void afterPropertiesSet() throws Exception {
if (loginConfig == null) {
throw new ApplicationContextException("loginConfig must be set on "
+ getClass());
}

if (loginContextName == null) {
throw new ApplicationContextException(
"loginContextName must be set on " + getClass());
}

// int n = 1;
//
// while (Security.getProperty("login.config.url." + n) != null) {
// n++;
// }
//
// Security.setProperty("login.config.url." + n,
// loginConfig.getURL().toString());
System.setProperty("java.security.auth.login.confi g","="+loginConfig.getURL().toString());

}
---------------

as sun jaas tutorial, to run the sample application, must specify -D option
as below:
java -Djava.security.auth.login.config==sample_jaas.conf ig sample.SampleAcn

and I checked the java tool docs , found that -D option:
-Dproperty=value
Set a system property value. If value is a string that contains spaces, you must enclose the string in double quotes:

that is why I tried to add the line of code to the end of afterPropertiesSet() method

and as a tutorial from ibm devloperworks told "
the double equals sign (==) indicates that the system default login configuration and policy files should not be added to the ones we've listed here. A single equals sign (=) would indicate the file should be concatenated with the system default.
"
that is why I add a "=" before the url

and I check the sun implemtation of javax.security.auth.login.Configuration
the com.sun.security.auth.login.ConfigFile source code

in init() method
the value of property "java.security.auth.login.config" can start with "="


and just now,I tried the two ways in a standalone app
both
System.setProperty("java.security.auth.login.confi g","=file:E:/test/java/clear/sample_jaas.config");
and
Security.setProperty("login.config.url.1","file:E:/test/java/clear/sample_jaas.config");
work

and I tried with both sun and ibm jre

this make me quite confused, why when I tried in websphere environment, "System.setProperty" works and "Security.setProperty" fails

[kakalot]

in handle() method of the inner class

JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
handler.setAuthentication(authentication);

for (int j = 0; j < callbacks.length; j++) {
Callback callback = callbacks[j];
handler.handle(callback);
}

in my opinion maybe better change to
JaasAuthenticationCallbackHandler handler = callbackHandlers[i];
synchronized (handler) {
handler.setAuthentication(authentication);
for (int j = 0; j < callbacks.length; j++) {
Callback callback = callbacks[j];
handler.handle(callback);
}
}


because handler is singlton bean is applicationcontext, and is shared accessed by concurrent thread.

[RayKrueger]

Learn something new everyday. I didn't know about the double equals thing. I was looking at the Callback handler the other day, that interface design is just bad. It should not have a handler.setAuthentication(authentication) method on it at all, It should have been handle(Callback cb, Authentication auth). You're right the synchronize change is absolutely needed there.

I am going to commit a change to the afterPropertiesSet today. That works alot cleaner.

[RayKrueger]

I've just commited changes to both the JaasAuthenticationProvider and the JaasAuthenticationCallbackHandler.

The JaasAuthenticationProvider afterPropertiesSet method now makes use of the java.security.auth.login.config System property before trying to use the login.config.url.X properties.

The JaasAuthenticationCallbackHandler handle method now takes a callback and the authentication in progress, the setAuthentication method has been removed.

I don't know if you're using Acegi out of CVS or not, but if you wouldn't mind taking the new code for a spin in your configuration, I'd really appreicate it, thanks.

-Ray Krueger