Saturday, May 15, 2010

Stacked Authentication with JAAS

I was happy the other day to find a quick solution to an authentication problem using java's authentication and authorization service ( JAAS). I was configuring JAAS authentication for a littleware based webapp where I wanted most users to authenticate via active directory, but to also have a simple password file to manage authentication for some internal users like "guest". Fortunately, JAAS easily supports this kind of thing. After googling around I stumbled across the JMX com.sun.jmx.remote.security.FileLoginModule which uses a simple password file, and I was already familiar with using the com.sun.security.auth.module.LdapLoginModule for simple authentication against Active Directory. I simply configured the "littleware.login" context in the Glassfish server domain's login.conf file (below) so that authentication via either A.D. LDAP bind or the password file would both be sufficient to certify a user. Works like a charm!

littleware.login {
        com.sun.security.auth.module.LdapLoginModule SUFFICIENT
             userProvider="ldap://xxxxxx/dc=auburn,dc=edu"
             authIdentity="{USERNAME}@auburn.edu"
             userFilter="(cn:dn:={USERNAME})"
             useSSL=false
             debug=true;
        com.sun.jmx.remote.security.FileLoginModule SUFFICIENT
             passwordFile="/home/glassfish/.littleware/jaasPasswordFile.txt";
};