Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by extendingcom.sun.enterprise.security.auth.login.DigestLogin abstract class or by implementing javax.security.auth.spi.LoginModule standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below

++++++

/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm {
com.sun.enterprise.security.auth.login.FileLoginModule required;
};
ldapRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule required;
};
solarisRealm {
com.sun.enterprise.security.auth.login.SolarisLoginModule required;
};
jdbcRealm {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
};
jdbcDigestRealm {
com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

++++++

Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {
}

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

  }

   return null;

  }

}


2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from com.sun.enterprise.security.auth.realm.DigestRealmBase abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ;

com.sun.enterprise.security.auth.digest.api.Password is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

/\*\*
\* returns PLAIN_TEXT or HASHED.
\* @returns int
\*/
    public int getType();

/\*\*
\* returns password.
\* @returns byte[]
\*/
  public byte[] getValue();

}

This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from https://sailfin.dev.java.net/.

[1]http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view
[2]http://docs.sun.com/app/docs/doc/819-3658/6n5s5nkmq?l=en&a=view#ablpi



Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

Comments:

Hello,

Please, where can I find com.sun.enterprise.security.auth.realm.DigestRealmBase
(in what jar)? I couldn't find it in glassfish jars.

I'm trying to improve the JDBCRealm, adding a counter for login errors (to prevent brute force attack on an oracle) and to add a salt column in the database to ensure that the hashes are different even with the same password.

Thank you!

Posted by Glitch on August 19, 2008 at 12:42 PM IST #

Its in appserv-rt.jar in Glassfish V2 and Sailfin builds.

If you checkout the sources it will be under module glassfish/appserv-core.

post your requirements to the sailfin dev /users alias and we can help you in whatever way we can.

Posted by guest on August 19, 2008 at 01:04 PM IST #

Can you explain the pre-hashed algorithm?

Does it mean I take the strings for username, ream and password and concatenate them, then has the resulting string, or hash each separately and concatenate the resulting bytes?

what is 'realmname'?

I need to write a password hashing utility, but I cannot get this to work.

Posted by paulbrickell on May 28, 2009 at 05:43 AM IST #

See if Binod's blog[1] "MD5 Authentication example for converged applications." helps you
[1]http://weblogs.java.net/blog/binod/archive/2008/09/index.html

Posted by guest on May 28, 2009 at 06:08 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today