More than Username Password - Weblogic

This is a discussion on More than Username Password - Weblogic ; We are developing a custom SSPI module for our weblogic servers, and i have a concern with remote logins for remote ejb calls. The documentation statest that the UsernamePasswordLoginModule is a good way to remotely log into a different BEA ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: More than Username Password

  1. More than Username Password


    We are developing a custom SSPI module for our weblogic servers, and i have a concern
    with remote logins for remote ejb calls.

    The documentation statest that the UsernamePasswordLoginModule is a good way to
    remotely log into a different BEA server so that ejb calls can be made from the
    Security.runAs context. However, i need to have more information passed than
    just the username password combination. e.g. applicationId that is making the
    call, in addition to the userid.

    The docs recommend creating your own login module, which is fine, but if i am
    correct the UsernamePasswordLoginModule uses the environment object and Authenticate.athenticate,
    to perform the login to my sspi. in that case the name is somehow translated
    into a NameCallback and (credential) Password to a PasswordCallback. If i want
    to add a different callback, "CallingAppCallback" where is that set in the environment
    object? In the properties? and if so, how is that then accessed by my LoginModule
    or AuthenticationProviderImpl?

    I just dont see how to extend the functionality of UsernamePasswordLoginModule,
    for remote-server logins?



  2. Re: More than Username Password

    ToddTobin wrote:
    > We are developing a custom SSPI module for our weblogic servers, and i have a concern
    > with remote logins for remote ejb calls.
    >
    > The documentation statest that the UsernamePasswordLoginModule is a good way to
    > remotely log into a different BEA server so that ejb calls can be made from the
    > Security.runAs context. However, i need to have more information passed than
    > just the username password combination. e.g. applicationId that is making the
    > call, in addition to the userid.
    >
    > The docs recommend creating your own login module, which is fine, but if i am
    > correct the UsernamePasswordLoginModule uses the environment object and Authenticate.athenticate,
    > to perform the login to my sspi. in that case the name is somehow translated
    > into a NameCallback and (credential) Password to a PasswordCallback. If i want
    > to add a different callback, "CallingAppCallback" where is that set in the environment
    > object? In the properties? and if so, how is that then accessed by my LoginModule
    > or AuthenticationProviderImpl?
    >
    > I just dont see how to extend the functionality of UsernamePasswordLoginModule,
    > for remote-server logins?


    Yes, this is a major limitation. I had a similar limitation when I
    implemented a kerberos client. If you can't fit what you want into two
    string fields, you are stuffed. BEA really need to open up the API for
    client-side login modules. To be fair to BEA, JAAS is useless so they
    weren't working with something that was designed for distributed systems
    in the first place.

    Anyway I worked around it by base 64 encoding my data (which was binary
    obviously). I suggest you come up with some way of encoding the
    application id in the username, e.g user@id or something along those lines.

    If you do come up with a better solution I'd be very interested to know!

    Robert

+ Reply to Thread