Reputation: 1350
How to use a Custom Principal in a custom security realm (Glassfish)?
I followed the instructions to create a custom security realm for my glassfish. It all works fine, users are authenticated correctly. The problem however is the following:
- The user credentials are encrypted in a string
- The realm decrypts this string and performs the authentication against a database (works)
- Instead of using the decrypted values as principal in the securityContext the encrypted String is passed.
I already tried to override the commit() method to replace the _userPrincipal or attach my own implementation using getSubject().getPrincipals().add(new PrincipalImpl("user")). Neither was working as expected. Basically the question is a simple as this: How can I set my own principal in a custom security realm in glassfish in a way which makes it possible to use it together with an injected securityContext?
My environment:
- Glassfish 3.1.2.2 (Build 5) Full Profile
- The application running behind the authentication is a JAX-RS 1.1 based application
- The SecurityContext is obtained using injection
Upvotes: 6
Views: 1885
Answers (1)
Reputation: 840
I already tried to override the commit() method to replace the _userPrincipal or attach my own implementation using getSubject().getPrincipals().add(new PrincipalImpl("user")). Neither was working as expected.
What kind of error(s) do you get?
Regardless, I think your issue lies on the third step of this process. SecurityContext only defines BASIC_AUTH, FORM_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH as AuthenticationScheme so perhaps SecurityContext cannot see your implementation of your security scheme or type. But you can try these steps and I hope they would work for you.
A- Implement a Java Authentication and Authorization Service (JAAS) LoginModule or extend com.sun.appserv.security.AppservPasswordLoginModule
public class MyLoginModule extends AppservPasswordLoginModule {
@Override
protected void authenticateUser() throws LoginException {
if (!authenticate(_username, _password)) {
//Login fails
throw new LoginException("LoginFailed");
}
String[] myGroups = getGroupNames(_username);
commitUserAuthentication(myGroups);
}
private boolean authenticate(String username, String password) {
/*
Check the credentials against the authentication source, return true if authenticated, return false otherwise
*/
return true;
}
private String[] getGroupNames(String username) {
// Return the list of groups this user belongs to.
}
B- Implementing your realm class.
public class MyRealm extends AppservRealm {
@Override
public void init(Properties props)
throws BadRealmException, NoSuchRealmException {
//here you initialize the realm
}
@Override
public String getAuthType() {
return "Custom Realm";
}
}
C- Installing and configuring the realm and LoginModule into the server.
for this you need to look at JSR 196 and write you own SAM by implmenting javax.security.auth.message.module.ServerAuthModule. Take a look at thelink below. https://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Upvotes: 2
Related Questions
- Can we add security Realm to glassfish-resources
- Access glassfish security realm from within the application
- Java EE 6 Programmatic security, glassfish and JDBC realm
- Java Web Application: Using a custom realm
- Glassfish 3.1 default principal to role mapping
- How to list all user principals from realm in an application server (glassfish)?
- Custom Glassfish Security Realm does not work (unable to find LoginModule)
- Binding a User entity and a GlassFish Principal
- Custom Realm Problem
- Glassfish Custom Authentication Module?