abort() called on LoginModule when login() returns true for Weblogic 8.1

Hi,

I'm trying to create my own Authentication Provider for Weblogic 8.1. I
have modified the Manageable Sample Authentication Provider to gain
access to my user database. Everything went smoothly until the last
vital step. Even though the login() method of my LoginModule returns
true, its abort() method is called instead of the commit() method. The
correct group is added to the principalsForSubject Vector during the
login() method. Does anyone have any suggestions on what I have done
wrong? Any suggestions would be most appreciated.

Best regards
Brynjar Glesnes

My LoginModule follows:

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Vector;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;

import com.takecargo.domainentities.user.UserEntityVO;
import com.takecargo.domainentities.role.GroupVO;

import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;

final public class MyLoginModuleImpl implements LoginModule {

private Subject subject;
private CallbackHandler callbackHandler;
private MyDAO accessor;

private boolean isIdentityAssertion;

// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();

public void initialize(Subject subject, CallbackHandler
callbackHandler,
Map sharedState, Map options) {
debug("ManageableSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;

// Determine if we're in identity assertion or authentication
mode
isIdentityAssertion =

"true".equalsIgnoreCase((String)options.get("IdentityAssertion"));

// Get the object that manages the user and group definitions
accessor = (MyDAO)options.get("accessor");
}

public boolean login() throws LoginException {
try {
debug("LdapLoginModuleImpl.login");

Callback[] callbacks = getCallbacks();

String userName = getUserName(callbacks);
if (userName.length() > 0) {
UserEntityVO user = accessor.getUser(userName);

if (!isIdentityAssertion) {
try {
accessor.authenticate(userName,
getPasswordHave(userName, callbacks));
} catch (DAOException e) {
throwFailedLoginException(
"Login failed for " + userName);
}
}

loginSucceeded = true;

principalsForSubject.add(new WLSUserImpl(userName));
Collection groups = listMemberGroups(user);
for (Iterator i = groups.iterator(); i.hasNext();) {
GroupVO group = (GroupVO)i.next();
String groupName = group.getGroupName();
debug("\tgroupName\t= " + groupName);
principalsForSubject.add(new
WLSGroupImpl(groupName));
}
} else {
SimpleDebugger.debug("\tempty userName");

loginSucceeded = false;
}

SimpleDebugger.debug("Login resulted in " +
loginSucceeded);

return loginSucceeded;
} catch (Exception e) {
throwLoginException("Failure when authenticating");
return false;
}
}

protected Collection listMemberGroups(UserEntityVO userVO) {
...
}

public boolean commit() throws LoginException {
debug("LdapLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
}
}

public boolean abort() throws LoginException {
debug("LdapLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
}
return true;
}

...
}

Re: abort() called on LoginModule when login() returns true for Weblogic 8.1

Hi,

I solved the problem myself.

In the Weblogic Console I had kept the DefaultAuthenticator and the
DefaultIdentityAsserter to hold the authentication details for the
Weblogic Console itself, whereas my custom LoginModule was to hold
authentication data for the application running on the Weblogic Server.

When Changing the "Control Flag" to SUFFICIENT on both authenticators,
my problem vanished.

Regards
Brynjar

Re: abort() called on LoginModule when login() returns true for Weblogic 8.1

Hi,

I'm also facing the same issue.
I dont know whether the correct group is added to the principalsForSubject Vector during the
login() method. I used the following statements to add groups.

principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);

Could you please suggest if the above methods are wrong to add groups?

I changed the "Control Flag" to SUFFICIENT on DefaultAuthenticator .

Thanks and regards,
Swathi

Re: abort() called on LoginModule when login() returns true for Weblogic 8.1

Hi Brynjar,

we are also facing the same issue. I have written custom SSPI connector.

we are using WebLogic 9.2 version.

But, I tried the same as you suggested. I couldn't resolve it.

Please suggest.