JAAS security setup
This short tutorial introduces you to Java Authentication and Authorization Service (JAAS) based on a dual module approach.
JAAS
Magnolia uses Java Authentication and Authorization Service. JAAS creates two distinct processes:
-
Username and password request
-
Authentication and authorization
Although it’s possible to use other servlets, the default engine is Tomcat.
Configuration is done in WEB-INF/config/jaas.config
:
jaas.config
magnolia {
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
The default configuration uses two classes:
-
One for user login and password authentication.
-
One for authorization of user and password.
Each of these classes extends info.magnolia.jaas.sp.AbstractLoginModule. You can use this framework to implement your own login logic.
Login procedure
The following (simplified) login procedure assumes you have two JAAS modules configured:
-
When a user logs in to Magnolia, all configured JAAS modules try to authenticate the user by calling the
login()
method.The method throws a
LoginException
if the login fails authentication. Since info.magnolia.jaas.sp.AbstractLoginModule provides thelogin()
method, a JAAS module only has to implement avalidateUser()
method. -
After the user is successfully authenticated, the
commit()
method of each JAAS module is called.
login()
method
The login()
authentication method of info.magnolia.jaas.sp.jcr.JCRAuthenticationModule is mandatory.
This method verifies that the user entered is valid and enabled.
In addition, it checks that the password entered matches the password stored for that user.
The second module’s login authorization method is only called if the user is verified.
Therefore the login()
authorization method of info.magnolia.jaas.sp.jcr.JCRAuthorizationModule can be implemented empty.
Example
User
:
-
Create a JAAS module extending the info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.
-
Then, extend the following two methods:
public void validateUser() throws LoginException {
this.user = authenticate(this.name, this.pswd);
if (this.user == null) {
throw new FailedLoginException("User not found or password incorrect");
}
if (this.user.getAllGroups() != null) {
this.setGroupNames((Set)this.user.getAllGroups());
}
if (this.user.getAllRoles() != null) {
this.setRoleNames((Set) this.user.getAllRoles());
}
}
public void setEntity() {
EntityImpl user = new EntityImpl();
user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
user.addProperty(Entity.NAME, this.user.getName());
user.addProperty(Entity.PASSWORD, new String(this.pswd));
this.subject.getPrincipals().add(user);
}
You still have to implement the authentication method to properly create a User object.
|
As Magnolia is to be the secondary user management method used, you have to use the following modifier:
magnolia {
my.project.ExternalJAASModule sufficient;
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
Further reading
Credits go to Ralf Hirning for the original content contributed to the Magnolia Community Wiki.