A jboss login module (like the LdapExtLoginModule in jbosssx.jar shipped with jboss-5.0.1.GA) returns a
Group array with one SimpleGroup named “Roles” as its role set.
The parent class AbstractServerLoginModule combines this with the Principal
object representing the user. So the set of principals consists of two entries acting as the
user and his roles. These are added to the principals of the Subject instance, which
has been given to the login module when LoginModule#initialize(Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
is called.
The tomcat realm JAASRealm (provided by catalina.jar shipped with tomcat 6.0.20) has two
input parameters depicting the user and role class names. After LoginContext#login()
was succesfully invoked (LoginModule#login() and LoginModule#commit() were successful
for all login modules being required) the subject mentioned earlier is retrieved and a new principal
is created from it. In this process the set of principals (Subject#getPrincipals()) will
be iterated. The first principal in the set fullfilling the following condition is used as the
user:
userClassNames.contains(principal.getClass().getName())
Afterwards, the list of other principals is compared with the group class name mentioned earlier.
Matching principal objects are used to create the roles using the name of the principal, only. There
is no recursive search in the groups. So the newly created principal gets only
one role called “Roles” instead of the roles being held in the SimpleGroup “Roles”.
Therefore using such a login module in tomcat requires creating a sub class, which searches
the SimpleGroup roles and adds them seperately to the role set. This way the login module
can be used to authenticate against a LDAP server in tomcat using the JAASRealm.
Here is an example implementation of the respective method:
@Override
protected Group[] getRoleSets() throws LoginException {
List groups = new LinkedList();
Enumeration roles = super.getRoleSets()[0].members();
while(roles.hasMoreElements()) {
groups.add(new SimpleGroup(roles.nextElement().getName()));
}
return groups.toArray(new Group[0]);
}