Custom JAAS login module for Application login configuration

[mue...@ca.com]

Hi,

I am using WAS 6.x on Windows 2003 server.

I have created a custom JAAS login module, then I created a WAS JAAS Application login configuration containing the custom login module.
The Application login configuration also has the ltpa login module configured, since a WSCredential and WSPrincipal object should also be created when this application login configuration is used. (I followed the steps described in http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html#sec5)

The login modules in the application login configuration are ordered 1.my custom login module, 2.ltpa login module.
The ltpa login module fails at the commit stage, because the WSCredential object is null.
The ltpa login module is seeing the WSCREDENTIAL_ properties in the hashtable but doesn't seem to be creating the WSCredential and WSPrincipal objects.

What do I need to do to create the WSCredential and WSPrincipal objects when using a custom login module in an application login configuration?

thx

[Paul Ilechko]

Why did you create an application login configuration rather than add
your login module to an existing system configuration as described in
the article ? I'm not sure there is any good reason to do that - to my
mind, application configurations are useful to create a temporary
credential for a remote realm on the current thread in order to call out
to a remote server. The system configuration is really what you should
be using to create WAS credentials and propagate them appropriately.

Also, LTPA requires two standard login modules, the LtpaLoginModule and
the WsMapDefaultInboundLoginModule. These are both on the web-inbound
system configuration.

Paul.

[mue...@ca.com]

I created an applicatin login configuration since to my knowledge I can't use a system login to validate a SOAP document (using SOAP/HTTP).

The application I am trying to protect is a jax-rpc web service, but the security token I am using is a proprietary token (not wrapped in a WS-Security header). The web services security mechanisms offered by WebSphere all seem to require that the token be wrapped in a WS-Security header.

I can't see any way of accessing the SOAP document from a system login, and changing the security token is not an option either.

While prototyping I used the WSLogin application login configuration and it created the WAS credentials. I would like to try to emulate this behaviour using a custom login module.

thx,
Heidi

[mue...@ca.com]

Thanks for the link.

I have already followed that path but found that unless I wrapped the custom token in a WS-Security header my custom token consumer would not be called.

Only when my XML doc contained:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0" SOAP-ENV:mustUnderstand="1">
....elements containing the custom token
</wsse:Security>

would WebSphere recognise that it needed to handle my custom token.

At this point in time, I need to be able to support tokens which do not have the wsse:Security block around them.
Is this scenario supported by token consumers?
Was the problem I had related to configuration of the token consumer?

I found that the token consumer would work if it was inside a wsse:Security element. When I removed the wsse:Security element it was no longer called.

thx,
Heidi

[Paul Ilechko]

mue...@ca.com wrote:
> I created an applicatin login configuration since to my knowledge I
> can't use a system login to validate a SOAP document (using
> SOAP/HTTP).
>
> The application I am trying to protect is a jax-rpc web service, but
> the security token I am using is a proprietary token (not wrapped in
> a WS-Security header). The web services security mechanisms offered
> by WebSphere all seem to require that the token be wrapped in a
> WS-Security header.
>
> I can't see any way of accessing the SOAP document from a system
> login, and changing the security token is not an option either.

It would have been helpful if you mentioned some of these details in
your original post ...

The paper that I co-authored, and that you reference, specifically did
not address web services security, as it adds a great deal of extra
complexity that we did not have time to research and include. However,
if you want to use custom tokens the hooks are in place - take a look at
the WAS info center, starting here:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/twbs_securev6wss.html

Particularly, look at the interfaces for token generators and token
consumers.

Hope this helps,

Paul.

[Paul Ilechko]

Sorry, I really haven't looked at this stuff.

If you really don't want to use WS-Security, one possibility that might
work is putting your token in the HTTP headers and seeing if you can
process it in a TAI instead of a login module.

[mue...@ca.com]

Thanks for your replies.

Does this mean it isn't possible to replicate the behaviour of com.ibm.ws.security.common.auth.module.WSLoginModuleImpl in a custom login module?
When that module is called the WSCredential & WSPrincipal are created. Can I create a custom application login module which will create these objects?

thx,
Heidi

[Paul Ilechko]

mue...@ca.com wrote:

To my knowledge is impossible to create WebSphere credentials in
application code.

[Paul Ilechko]

mue...@ca.com wrote:

Why can't you use WSlogin? Do you not have the password available?

Have you looked into doing Identity Assertion? This is easiest in a TAI,
but can be done in a login module - see:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_identity_assert.html

[mue...@ca.com]

I can get the password, but I didn't want to authenticate against a WebSphere user registry.

If I created a Custom user registry then would the WSLogin module use that for authentication?

[Paul Ilechko]

mue...@ca.com wrote:
> I can get the password, but I didn't want to authenticate against a WebSphere user registry.
>
> If I created a Custom user registry then would the WSLogin module use that for authentication?

Yes.

[sha...@yahoo.com]

I have a problem when I tried to use the MyBeforeLTPALoginModule and in the login() method I try to add 2 roles for the user
groups.add("CN=clerk,OU=Groups,dc=fnfinc-ngs,dc=int");
groups.add("CN=manager,OU=Groups,dc=fnfinc-gs,dc=int");

it fails with an exception
WSCredentialT E SECJ5009E: Could not create a WSCredential given the information provided during a propagation login. The following exception occurred: java.util.ConcurrentModificationException
at java.util.AbstractList$Itr.checkForComodification(AbstractList.java:462)
at java.util.AbstractList$Itr.next(AbstractList.java:433)
at com.ibm.ws.security.token.WSCredentialTokenMapper.createWSCredentialFromProperties(WSCredentialTokenMapper.java:250)
at com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule$2.run(wsMapDefaultInboundLoginModule.java:648)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.login(wsMapDefaultInboundLoginModule.java:644)
at com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.login(WSLoginModuleProxy.java:122)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:189)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:446)
at com.ibm.ws.security.auth.distContextManagerImpl.login(distContextManagerImpl.java:1020)
at com.ibm.ws.security.auth.distContextManagerImpl.login(distContextManagerImpl.java:869)
at com.ibm.ws.security.web.FormLoginExtensionProcessor$1.run(FormLoginExtensionProcessor.java:280)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.security.web.FormLoginExtensionProcessor.formLogin(FormLoginExtensionProcessor.java:300)
at com.ibm.ws.security.web.FormLoginExtensionProcessor.handleRequest(FormLoginExtensionProcessor.java:166)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:2816)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:220)
at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:204)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1681)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:77)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:421)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:367)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:94)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:548)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:601)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:934)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1021)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1332)
Can someone help me understand how to overcome this problem

[Paul Ilechko]

sha...@yahoo.com wrote:
> I have a problem when I tried to use the MyBeforeLTPALoginModule and in the login() method I try to add 2 roles for the user
> groups.add("CN=clerk,OU=Groups,dc=fnfinc-ngs,dc=int");
> groups.add("CN=manager,OU=Groups,dc=fnfinc-gs,dc=int");
>
> it fails with an exception
> WSCredentialT E SECJ5009E: Could not create a WSCredential given the information provided during a propagation login. The following exception occurred: java.util.ConcurrentModificationException

I'm curious as to why you are in a propagation login - generally you
should not do anything in that situation. Why don't you post your code,
and please read my paper if you haven't already done so:

http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

[Grzegorz]

Hello,

I've got similar problem.
This is WebSphere bug. At least in version 6.0.0.0. I didn't have time to update to 6.0.2.3.
Maybe I'll do it tomorrow if I'll have time.
Try to update and let me know if it helped.

Grzegorz

[Grzegorz]

Yep. Don't know which patch fixes that but it's working in 6.0.2.3. I've checked.
Hope it helps.

Grzegorz

[sha...@yahoo.com]

Thanks you very much. I will download the 6.0.2.3 version and test it. Thanks again.

[spsa...@cyantific.net]

Hello,

I have a similar problem. My client's requirements are to return a custom exception when an attempt to authenticate from a standalone J2SE client fails. I have implemented a custom JAAS login module which I have placed in the RMI_INBOUND system configuration so that:

1. CustomLoginModule requisite
2. ltpaLoginModule required
3. wsMapDefaultInboundModule required

The idea is that if CustomLoginModule fails, the control returns to the application with a custom exception, if it succeeds it moves on the next LoginModule down the line. I have followed the instructions found in the article (http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html#sec5)
but unfortunately it doesn't seem to work. In particular, it seems that the ltpaLoginModule cannot find any credentials in the subject (or re-create them). I have tried adding the user attributes hashtable to the subject.getPublicCredentials() and/or the sharedState but the ltpaLoginModule seems to believe that the user is UNAUTENTICATED and throws an exception.

Regarding exceptions, I have added the com.ibm.websphere.security.registry.propagateExceptionsToClient=true property to Security->Global Security->CustomProperties already.

Can someone help? I would greatly appreciate it!

Regards,

Stelios Psarras

[Paul Ilechko]

spsa...@cyantific.net wrote:
> Hello,
>
> I have a similar problem. My client's requirements are to return a
> custom exception when an attempt to authenticate from a standalone
> J2SE client fails.

This might be your problem. You probably are missing some WAS client
jars that you need to support CSIv2 security. Try installing the thin
application client:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tcli_installclient.html

[sha...@yahoo.com]

In a clustered envirionment, will the custom jaas setting be lost if there is a failover? I mean, if there is a failover, will the Subject have the CustomJaasStuff object or will it be lost.

If not, is there a workaround without making them to re-login?

[Paul Ilechko]

That depends. In general, it should be kept, but there may be situations
where it will be lost. In that case, you can decide whether to force the
user to login again, or to allow the user continue with missing
information in the Subject. See my paper:

http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

- particularly the section on propagation.

[yasir...@iacgrp.com]

Dear all i am getting following exception on compiling a custom login module.
package com.ibm.wsspi.security.auth.callback does not exist.

so it does not found WSTokenHandlerCallback class from above mentioned missing package .

i place the simple java file in websphere-install-root\java\bin. While surffing for the solution i came to know that 2 jar
files wssec.jar and sas.jar missing with lots of people are also missing with my websphere 6.1 installations.Even tried latest fix packs but no use.

Can anybody help me with this.
Thanx