扩展LdapLoginModule不授权用户

时间:2014-06-26 04:15:00

标签: java jboss ldap jaas j-security-check

我正在尝试使用JAAS安装自定义身份验证(在应用程序中需要)。 我的standalone.xml看起来像

<security-domain name="other" cache-type="default">
                <authentication>
                    <login-module code="com.app.user.extendedSec.ExtendedLdapExtLoginModule" flag="optional">
                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                        <module-option name="java.naming.provider.url" value="ldap://app.user.in:389"/>
                        <module-option name="java.naming.security.authentication" value="simple"/>
                        <module-option name="password-stacking" value="useFirstPass"/>
                        <module-option name="principalDNPrefix" value="cn="/>
                        <module-option name="principalDNSuffix" value=",OU=Test,DC=ads,DC=exilant,DC=in"/>
                        <module-option name="rolesCtxDN" value="OU=Test,DC=ads,DC=exilant,DC=in"/>
                        <module-option name="uidAttributeID" value="member"/>
                        <module-option name="matchOnUserDN" value="false"/>
                        <module-option name="roleAttributeID" value="sAMAccountName"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                    </login-module>
                    <login-module code="com.app.user.extendedSec.ExtendedUsernamePasswordLoginModule" flag="required">
                        <module-option name="unauthenticatedIdentity" value="guest"/>
                        <module-option name="password-stacking" value="useFirstPass"/>
                        <module-option name="dsJndiName" value="java:/session-tracking-dataSource-orcl"/>
                        <module-option name="principalsQuery" value="SELECT PASSWORD FROM FUSION_USERS WHERE USERID=? AND LOCKFLAG='false' and (upper(active_ind) != 'N' or active_ind is null)"/>
                        <module-option name="rolesQuery" value="SELECT USERTYPE, 'Roles' FROM FUSION_USER_GROUPS WHERE USERID=?"/>
                    </login-module>

当使用数据库进行身份验证和授权时,它运行正常。但是无法使用ldap服务器进行身份验证/授权

public class ExtendedLdapExtLoginModule extends LdapLoginModule {

private static Logger _logger=Logger.getLogger(ExtendedLdapExtLoginModule.class.getClass());



/**
 * @param inputPassword: encrypted password from request; expectedPassword: password from active directive
 * @return passed to the super class. True for success, false for failure.
 */
@Override
protected boolean validatePassword(String inputPassword, String expectedPassword) {
    _logger.debug("ExtendedLdapExtLoginModule: Input encrypted: " + inputPassword);
    _logger.debug("ExtendedLdapExtLoginModule: Input decrypted: " + PasswordCodec.getDecryptedPassword(inputPassword));
    _logger.debug("ExtendedLdapExtLoginModule: Expected: " +expectedPassword);

    //  Decrypt the password before pass it for comparison
    return super.validatePassword(PasswordCodec.getDecryptedPassword(inputPassword), expectedPassword);
}

}

正确地在服务器端解密密码。

我在这里错过了什么吗?

由于                                      

1 个答案:

答案 0 :(得分:0)

假设您正在扩展org.jboss.security.auth.spi.LdapLoginModule,则不应覆盖validatePassword(),因为它已尝试对LDAP服务器执行绑定操作。

JBoss docs的源代码和评论来看,你可以使用vanilla LdapLoginModule#validatePassword(),它会尝试登录而不是密码检索。

具体来说,JBoss源代码中的这些评论澄清了这一点:

/** Overriden to return an empty password string as typically one cannot
obtain a user's password. We also override the validatePassword so
this is ok.
@return and empty password String
*/
protected String getUsersPassword() throws LoginException
{
  return "";
}

/** Validate the inputPassword by creating a ldap InitialContext with the
SECURITY_CREDENTIALS set to the password.

@param inputPassword the password to validate.
@param expectedPassword ignored
*/
protected boolean validatePassword(String inputPassword, String expectedPassword)
相关问题
最新问题