Skip to main content

Glassfish Custom Login Module and Realm Configuration

I wanted to create a custom login module and realm for Glassfish to implement a new authentication and authorization. I have taken the sun document but I "missed" - in fact parts of the info was there but hidden very well - some information and decided to share those here. I am focusing only on the missing parts. Rest is written in the document.

The first thing is point 3. To me it did not work to place class files into directory appserver-domain-dir/lib/classes. I created a jar file from my classes and put that into glassfish/lib and it worked after a server restart.

The next info what I missed is what jaas-context-name should be in login.conf and how it works later. So the jaas-context-name can be anything you want BUT you have to pass it to your Realm module as a parameter. Lets say you call you jaas-context-name as "customRealm".
So you have in login.conf:

customRealm{
org.CustomLogin required;
}


Then when you create your realm via the gui or any other way you must specify this as a parameter of the realm. The name of the parameter MUST BE jaas-context. To be precise it depends on the code. With the given code this is true. Otherwise depends on the following two lines:

String jaasCtx = props.getProperty(IASRealm.JAAS_CONTEXT_PARAM);
this.setProperty(IASRealm.JAAS_CONTEXT_PARAM, jaasCtx);


And JAAS_CONTEXT_PARAM inherited from super has a value "jaas-context".


Now you have a mapping between realm and login module.

But how to use the realm from NetBeans?
If you create a Web Application or Enterprise application the web part has a web.xml and a sun-web.xml file in the "Configuration Files" directory. Open web.xml and select security part. Here open the Login Configuration and if you select Basic the Realm Name: must be the name of the realm created before. This is not the jaas-context name. You have to create security roles and security constraints what I will explain later.
So now you have a realm which is using basic authentication and the Realm Name is set to custom-realm.
The result in web.xml is:

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>custom-realm</realm-name>
</login-config>

This realm has a parameter jaas-context which specifies which login module must be used.
The realm and the login module receives the user name and password typed in and returns the list of user groups to the container.
But what to return and how to specify who has rights to do what?
In the web.xml you specified you want to use a realm but under that in Netbeans you can specify which Role has access to which url via which way. You have to create security roles. This is like a group BUT this is not necessarily the group returned by the Realm Module. This is an internal application level group. If you create something like user and admin it is a good basis.
Below that you have to specify security constraints. This is where you can specify which URL is accessible to which Role in which way. Take a look and you will understand. (When you specify the url you do not have to type the application name only the path under the context. For example if you have a jsp page as server:8080/Application/faces/user/Index.jsp you have to type in only /faces/user/* and you have to miss Application.)
Here is an example constraint:

<security-constraint>
<display-name>Application User</display-name>
<web-resource-collection>
<web-resource-name>Application User Pages</web-resource-name>
<description/>
<url-pattern>/faces/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Application-user</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


One missing thing is how to map Authentication Groups to Application Roles. If the Realm returns the same name as group as an existing role this is mapped automatically but this is not the usual case. If user is for example in Administrator group and application has an Admin role you need a mapping between these. You can specify these in sun-web.xml Open and do it. It is self evident.
<security-role-mapping>
<role-name>application-admin</role-name>
<group-name>Administrator</group-name>
</security-role-mapping>


So the whole procedure is when somebody calls your application via an url container checks if there is a security-constraint on the url and which Security Role you need to have to access it. The container also know which Realm is responsible to authenticate the users in this application. Makes the authentication and send this info to your module. The login module is taken based on the jaas-context parameter of the Realm. Your module returns list of user groups if user is authenticated. If the user is in the group which is mapped to the necessary Security Role access is granted. That is all.

Comments

Popular posts from this blog

Insufficient Disk Space reported under wine

Did you try to install/setup any Windows Application - actually a Game what else could be necessary - and got a message that you do not have enough free space on your drive meanwhile you had lot of free space on the chosen mounted partition? You will learn the problem and hopefully the solution too. (Of course I suppose it is not the real situation you have no enough space. If so do not read ahead.) The problem is that wine does not check the amount of free space on the mounted partition corresponds to the selected directory but reports the free on the root of the directory the partition mounted to . ;( Probably it is not clean so here is an example: Let say you have / only and something is mounted as /mnt/part1 If you directly select /mnt/part1 during installation wine will check free space in fact on / and does not calculate free on the partition mounted under /mnt/part1. How to solve it you may ask? It is easy. Start winecfg and create a new drive with the directory you want to use.

Ansible: Using multiple tags and untagged tag together

I have lots of Ansible playbooks with many roles in each. However when you are installing different minor version of the same software stack, there are only minor differences between the steps. In this case it does not make much sense to "copy paste" the whole role so I just wanted to use tags. I wanted to use untagged tasks as common tasks and tagged tasks for version specific tasks. To make it clear here is an example. If you have a long os related role which does ssh config, web config, database install and creation and many more but sometimes you need java-6 or java-7 it is easy to add task and tag those according to this. Than my theory was that I can run ansible-playbook --tags=untagged,java6 to install the stack with java6 and ansible-playbook --tags=untagged,java7 to install same stack with java7. However this does not work. I have checked the Ansible source code and found why it is not working. Since I was not sure if this is a bug or by design I have opened a

Python Azure ML SDK issue on Ubuntu 22.04

It has been quite a while since I posted last time. Why? Because simply I did not run into any issue worth to share. But now! I did.  Recently we are doing some Machine Learning on Azure using Azure Machine Learning Python SDK. No problem you might think. Well. As it turned out Ubuntu 22.04 is not supported. And this is clearly said in a message. Which is in fact a lie. The Error message: NotImplementedError: Linux distribution ubuntu 22.04 does not have automatic support. Missing packages: {'liblttng-ust.so.0'} .NET Core 3.1 can still be used via `dotnetcore2` if the required dependencies are installed. Visit https://aka.ms/dotnet-install-linux for Linux distro specific .NET Core install instructions. Follow your distro specific instructions to install `dotnet-runtime-*` and replace `*` with `3.1.23`. Ok but what is this? And why? So as the error mentions dotnetcore2==3.1.23 Python package uses .NET Core 3.1 but Ubuntu 22.04 has only dotnet6 packages. And also Micro