Page History

JAAS

Magnolia CMS uses Java Authentication and Authorization Service. Magnolia CMS uses Sun's Java SE Security (JAAS). JAAS creates two distinct processes for:

• username Username and password request, and
• authentication Authentication and authorization.

Although it is possible to use other servlets, the default engine is Tomcat. Configuration is done in WEB-INF/config/jaas.config file:

magnolia {info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;};

The default configuration uses two classes: 

• one for user login and password authentication, and
• one for authorization of user and password.

Each of these classes extend:extends

Login Procedure

The following (simplified) login ) procedure assumes you have two JAAS modules configured:

•   When

   When a user logs in to Magnolia CMS, all configured JAAS modules try to authenticate the user by calling the login() method.

   

• The method throws

  an {{

  an LoginException

  }}

  if the login fails authentication. Since

  Javadoc
  info.magnolia.jaas.sp.AbstractLoginModule info.magnolia.jaas.sp.AbstractLoginModule

    provides
  the {{

  the login()

  }}

  method, a JAAS module only has to implement a validateUser() method. 

• When After the user is successfully authenticated, the the commit() method of all each JAAS modules module is called.

login()

The The login() authentication method of

The second module's login authorization method is only called if the user has been properly verified. Therefore the login() authorization method of 

commit()

The The commit() method includes the values from both authentication and authorization. The authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.

Example

Assume that you want to store users outside of Magnolia, for example in LDAP or a database. If a user is not available in the external system, the Magnolia user management system will be used. What do we have to implement for this?

User Object

Magnolia uses

Javadocinfo.magnolia.cms.security.MgnlUserinfo.magnolia.cms.security.MgnlUserto represent users stored in the users repository. Since our example users are not going to primarily have representation in the Magnolia repository, we have to create a Creating a new user class implementing

JAAS Module

...

:

• First create a JAAS module extending:

  Javadoc
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule info.magnolia.jaas.sp.jcr.JCRAuthorizationModule

...

• . 
• Next, extend the following two methods:

public void validateUser() throws LoginException {

        this.user = authenticate(this.name, this.pswd);

	if (this.user == null) {
            throw new FailedLoginException("User not found or password incorrect");
        }
	if (this.user.getAllGroups() != null) {
		this.setGroupNames((Set)this.user.getAllGroups());
	}
	if (this.user.getAllRoles() != null) {
		this.setRoleNames((Set) this.user.getAllRoles());
	}
    }
    public void setEntity() {
        EntityImpl user = new EntityImpl();
        user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
        user.addProperty(Entity.NAME, this.user.getName());
        user.addProperty(Entity.PASSWORD, new String(this.pswd));
        this.subject.getPrincipals().add(user);
    }

Even with this modification Note that it is still necessary to implement the authentication method must be implemented as well in order to properly create a User objectobject.

jaas.config

Now we have to add our new Adding the JAAS module to the JAAS configuration. Since we want Magnolia

As Magnolia is to be the secondary user management method used, we put the new module first with the sufficient you have to use the following modifier:

magnolia {
  my.project.ExternalJAASModule sufficient;
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};