XML + database authentication and authorizati

Shai Ify
2010-07-09
2013-05-08
  • Shai Ify

    Shai Ify - 2010-07-09

    Hi Charles,
    Thanks for your help on earlier occassions. Now, i am trying the following: first try and authenticate the user using xml. If he is not found in the xml files, we try and authenticate him using the database. If the user is authenticated, we again first try and authenticate him using xml and then using database. Thus, we are trying to combine xml and database.

    Please help me with this. How can this be done? What is the simplest way to achieve the above.

    Shai

     
  • Vinicius Pitta Lima de Araujo

    Hi Shai,
    Part of your statement isn't very clear to me… If I understand then you want to try first XML authentication and after database if the first fail. To achieve this just configure the XmlLoginModule as SUFFICIENT and the database authentication as REQUIRED, REQUISITE or SUFFICIENT (if it isn't the last loginModule, you should think about the right flag).

    's
    Vinícius Pitta Lima de Araújo
    http://www.viniciusaraujo.net

     
  • Shai Ify

    Shai Ify - 2010-07-09

    Sorry for the slightly vague description: So this is the scenario,
    First i want to try and authenticate the user against an xml file. If it  succeds, well and good. Then i will move and try to authorize the user. however, if the user is not found in the xml file, i will try and look for his credentials in the database. I mean i will try and authenticate him against the database. So, first we try TO authenticate against xml, and then against database. The same thing applies for authorization. If he is authorized using the xml file, good. If not, we will look for authorization credentials in the database. So, in a way, first we try using xml authentication and then we resort to database authorization.

    Also, can you please explain the meaning of the SUFFICIENT tag you mentioned above

    I am really thankful for your help Vinicius!!
    Shai

     
  • Shai Ify

    Shai Ify - 2010-07-09

    For your reference, this is my jGuardAuthentication.xml:

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <!DOCTYPE configuration SYSTEM "jGuardAuthentication_1.00.dtd">
    <configuration>
    <authentication>
    <!- 'local' or 'jvm' ->
    <scope>local</scope>
    <!-
    boolean option('true' or 'false'), to activate the authorization
    debug mode
    ->
    <debug>true</debug>
    <includeOldConfig>false</includeOldConfig>
    <!- java.security.auth.login.config ->
    <includeConfigFromJavaParam>false</includeConfigFromJavaParam>
    <includePolicyFromJavaParam>false</includePolicyFromJavaParam>
    <!- <digestAlgorithm>MD5</digestAlgorithm> ->
    <!- <salt>qsd846sdq6ds4</salt> ->
    <authenticationManager>
    net.sf.jguard.ext.authentication.manager.XmlAuthenticationManager

    </authenticationManager>

    <authenticationManagerOptions>
    <option>
    <name>authenticationXmlFileLocation</name>
    <!- cahnged here ->
    <value>WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml</value>
    </option>

    <option>
    <name>databaseDriver</name>
    <!- <value>org.postgresql.Driver</value> ->
    <!- CHANGED HERE ->
    <value>com.mysql.jdbc.Driver</value>
    </option>
    <option>
    <name>databaseDriverUrl</name>
    <!- <value>jdbc:postgresql://localhost:5432/jguard</value> ->
    <!- CHANGED HERE ->
    <value>jdbc:mysql://icode:3306/jGuardGanesh</value>
    </option>
    <option>
    <name>databaseDriverLogin</name>
    <!- <value>postgres</value> ->
    <value>icode</value>
    </option>
    <option>
    <name>databaseDriverPassword</name>
    <!- <value>postgres</value> ->
    <value>icode</value>
    </option>
    <option>
    <name>authenticationXmlFileLocation</name>
    <value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
    </value>
    </option>
    <option>
    <name>authenticationDatabaseFileLocation</name>
    <!-
    <value>WEB-INF/conf/jGuard/authentication.postgresql.properties</value>
    ->
    <!- CHANGED HERE ->
    <value>WEB-INF/conf/jGuard/authentication.mysql.properties</value>
    </option>

    </authenticationManagerOptions>
    <loginModules>
    <!- specify which loginModules are used for authentication. ->
    <loginModule>
    <name>net.sf.jguard.ext.authentication.loginmodules.XmlLoginModule</name>
    <!- flag :'REQUIRED','OPTIONAL','REQUISITE' or 'SUFFICIENT' ->
    <flag>SUFFICIENT</flag>
    <loginModuleOptions>
    <option>
    <name>debug</name>
    <value>false</value>
    </option>
    </loginModuleOptions>
    </loginModule>

    <!- specify which loginModules are used for authentication. ->
    <loginModule>
    <name>net.sf.jguard.ext.authentication.loginmodules.JdbcLoginModule</name>
    <!- flag :'REQUIRED','OPTIONAL','REQUISITE' or 'SUFFICIENT' ->
    <flag>REQUIRED</flag>
    <loginModuleOptions>
    <option>
    <name>debug</name>
    <value>true</value>
    </option>
    </loginModuleOptions>
    </loginModule>

    </loginModules>
    </authentication>
    </configuration>

     
  • Vinicius Pitta Lima de Araujo

    Hi Shai,
    Seems like you did right with the login context configuration. The SUFFICIENT means that if the loginmodule proceed the login process end and the user is authenticated. If the login fail them try the next login module.

    This will work well with authentication, but if you want the same for authorization you need to write an authorizationmanager. You can write one manager that queue another managers and try all of them. Isn't really a big deal but demand a little work.

    's
    Vinícius Pitta Lima de Araújo
    http://www.viniciusaraujo.net

     
  • Shai If

    Shai If - 2010-07-12

    Hi Vinicius,
    I tried my options and configured the following jGuardAuthentication.xml file:

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <!DOCTYPE configuration SYSTEM "jGuardAuthentication_1.00.dtd">
    <configuration>
    <authentication>
    <!- 'local' or 'jvm' ->
    <scope>local</scope>
    <!-
    boolean option('true' or 'false'), to activate the authorization
    debug mode
    ->
    <debug>true</debug>
    <includeOldConfig>false</includeOldConfig>
    <!- java.security.auth.login.config ->
    <includeConfigFromJavaParam>false</includeConfigFromJavaParam>
    <includePolicyFromJavaParam>false</includePolicyFromJavaParam>
    <!- <digestAlgorithm>MD5</digestAlgorithm> ->
    <!- <salt>qsd846sdq6ds4</salt> ->
    <authenticationManager>
    net.sf.jguard.ext.authentication.manager.JdbcAuthenticationManager

    </authenticationManager>

    <authenticationManagerOptions>
    <!- <option>
    <name>authenticationXmlFileLocation</name> ->
    <!- cahnged here ->
    <!- <value>WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml</value>  ->
    <!- </option> ->

    <option>
    <name>authenticationXmlFileLocation</name>
    <!-  cahnged here  ->
    <value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml</value>
    </option>
    <option>
    <name>databaseDriver</name>
    <!- <value>org.postgresql.Driver</value> ->
    <!- CHANGED HERE ->
                    <value>com.mysql.jdbc.Driver</value>
    </option>
    <option>
    <name>databaseDriverUrl</name>
    <!- <value>jdbc:postgresql://localhost:5432/jguard</value> ->
    <!- CHANGED HERE ->
                    <value>jdbc:mysql://icode:3306/jGuardGanesh</value>
    </option>
    <option>
    <name>databaseDriverLogin</name>
    <!- <value>postgres</value> ->
                    <value>icode</value>
    </option>
    <option>
    <name>databaseDriverPassword</name>
    <!- <value>postgres</value> ->
                    <value>icode</value>
    </option>
    <option>
    <name>authenticationXmlFileLocation</name>
    <value>/WEB-INF/conf/jGuard/jGuardUsersPrincipals.xml
    </value>
    </option>
    <option>
    <name>authenticationDatabaseFileLocation</name>
                    <!-<value>WEB-INF/conf/jGuard/authentication.postgresql.properties</value> ->
                    <!- CHANGED HERE ->
                    <value>WEB-INF/conf/jGuard/authentication.mysql.properties</value>
    </option>

    </authenticationManagerOptions>
    <loginModules>
    <!- specify which loginModules are used for authentication. ->
    <loginModule>
    <name>net.sf.jguard.ext.authentication.loginmodules.XmlLoginModule</name>
    <!- flag :'REQUIRED','OPTIONAL','REQUISITE' or 'SUFFICIENT' ->
    <flag>SUFFICIENT</flag>
    <loginModuleOptions>
    <option>
    <name>debug</name>
    <value>false</value>
    </option>
    </loginModuleOptions>
    </loginModule>

    <loginModule>
    <name>net.sf.jguard.ext.authentication.loginmodules.JdbcLoginModule</name>
    <!- flag :'REQUIRED','OPTIONAL','REQUISITE' or 'SUFFICIENT' ->
    <flag>REQUIRED</flag>
    <loginModuleOptions>
    <option>
    <name>debug</name>
    <value>true</value>
    </option>
    </loginModuleOptions>
    </loginModule>

    <!- specify which loginModules are used for authentication. ->

    </loginModules>
    </authentication>
    </configuration>

    The problem I am facing is that the jGuardUsersPrincipals.xml file is not being read. Presently, as is evident from the above configuration, there are two datasources: jGuardUSersPrincipals.xml file and the database  itself. Though the database is being read, the xml file is not being read. So, if user "john1" exists in jGuardUsersPrincipals.xml, but not in the database, he is not  able to login; however, this is an error as the user "john1" exists.

    Can you help clarify the above and sugest some solution

    Shai

     
  • Shai If

    Shai If - 2010-07-12

    The basic thing that is worrying me is what should i put as the authentication Manager.: Jdbc or XML. Pls refer to the xml file shown in the privious post

     
  • Vinicius Pitta Lima de Araujo

    Hi Shai,
    First sorry the delay to answer. Well, I just realized now that the jGuard login modules are dependent of the authentication manager configuration. So, unfortunately you will not be able to use both modules(at same time)  in this way.

    The JdbcAuthenticationManager has an extra option to point to a XML file that provide the initial data to populate the tables but this don't fit your needs. :/

    I checked the code and found that there is a FacadeLoginModule which purpose is exactly provide a way to aggregate multiples login module. I am not sure about how use this. Have to check. Take a look.

     
  • Charles Lescot

    Charles Lescot - 2010-07-13

    Hi,
    yes, loginModules depends on AuthenticationManager.
    so, an XMlLoginModule, uses the XmlAuthenticationManager to READ some authentication informations.
    Vinicius is also right that FacadeLoginModule can be used to use several loginmodules as to answer your needs.
    but you will have also to combine authenticationManager to READ some authentication data.
    note that write and delete operations on a mix of authenticationManager may be more complex, but is beyond the scope of a loginModule.

    hope it helps,

    Charles.

     

Log in to post a comment.