The JAAS configuration is made via the JAAS Login Configuration File
A login configuration file consists of one or more entries, each specifying which underlying authentication technology should be used for a particular application or applications.
The contents of the JAAS configuration file has the structure below:
Application_1 { LoginModuleClassA Flag Options; LoginModuleClassB Flag Options; LoginModuleClassC Flag Options; }; Application_2 { LoginModuleClassB Flag Options; LoginModuleClassC Flag Options; }; Other { LoginModuleClassC Flag Options; LoginModuleClassA Flag Options; };
There is a flag associated with all the LoginModules to configure their behaviour in case of success or failure:
required - The LoginModule is required to succeed. If it succeeds or fails, authentication still proceeds through the LoginModule list.
requisite - The LoginModule is required to succeed. If it succeeds, authentication continues through the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed through the LoginModule list).
sufficient - The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed through the LoginModule list). If it fails, authentication continues through the LoginModule list.
optional - The LoginModule is not required to succeed. If it succeeds or fails, authentication still proceeds through the LoginModule list.
JOnAS provides in
$JONAS_BASE/conf/jaas.config
a JAAS Login
Configuration File already configured with some login
configuration.
There are two requirements: the entry dedicated to Tomcat must be named tomcat, and the entry for Jetty, jetty. Note that everything in this file is case-sensitive.
The predifined entries are:
tomcat used for authentication with the web container Tomcat
jetty used for authentication with the web container Jetty
jaasclient may be used for autentication in a fat client
The default configuration for the web container Tomcat is the following:
tomcat { org.ow2.jonas.security.auth.spi.JResourceLoginModule required resourceName="memrlm_1" ; };
this indicates that the
JResourceLoginModule
Login Module must be used on
the memory realm named memrlm_1.
The default configuration for the web container Jetty is the same than the previous:
jetty { org.ow2.jonas.security.auth.spi.JResourceLoginModule required resourceName="memrlm_1" ; };
the configuration for the container clients examples :
jaasclient { // Login Module to use for the example jaasclient. org.ow2.jonas.security.auth.spi.JResourceLoginModule required resourceName="memrlm_1" org.ow2.jonas.security.auth.spi.ClientLoginModule required globalCtx="true" ; };
Here two Login Modules are used, one for checking the identity in the memoty realm, the second for propagating a security context with the client request.
To change the location and name of the
jaas.config
file, edit the
$JONAS_BASE/bin/jonas
script and modify the
following line:
-Djava.security.auth.login.config=$JONAS_BASE/conf/jaas.config
JOnAS provides some predefined LoginModules:
This is the main LoginModule. It is highly recommended that this one be used in every authentication, as it checks the user authentication information in the specified realm database, LDAP or memory.
This LoginModule delegates the authentication to the server . Here are the possible attributes to set:
attribute name | description |
resourceName | name of the realm |
serverName | name of JOnAS instance (default value= jonas) |
useUpperCaseUsername | if true Convert the username into uppercase for the authentication (default value=false) |
certCallback | if true use certificate callback |
This LoginModule contains authentication based on certificates. However, when enabled, it will also permit non-certificate based accesses. It verifies that the certificate presented by the user has not been revoked by the Certification Authority that signed it. To use it, the directory in which to store the revocation lists (CRLs) files or an LDAP repository must exist.
attribute name | description |
CRLsResourceName | specifies how the CRLs are stored:Two possible values "Directory" or "LDAP" |
CRLsDirectoryName | The directory containing the
CRL files (the extension for these
files must be
.crl ). |
address | address of the server that hosts the LDAP repository |
port | port used by the LDAP repository; CRLs are retrieved from an LDAP directory using the LDAP schema defined in RFC 2587 |
login module that signs the current Subject ,. Here are the possible attributes to set:
attribute name | description |
keystoreFile | Name of the key store |
keystorePass | password for the keystore |
keyPass | password for the private key |
alias | alias |
login module used for propagating the Principal and roles to the server, it doesn't make any authentication. This login module must be used when authentication for a client container. Here is the possible attribute to set:
attribute name | description |
globalCtx | if true set the security context for all the threads of the client container instead of only on the current thread. Useful for swing client. (default value= false) |