Warning | ||
---|---|---|
| ||
A copy of the content of this page has been moved to JAAS security setup page in the main Magnolia documentation and will be maintained there. |
Excerpt |
---|
Tutorial that provides a brief introduction to Java Authentication and Authorization Service (JAAS) based on a dual module approach. |
Table of Contents |
---|
JAAS
Magnolia CMS uses Java Authentication and Authorization Service. JAAS creates two distinct processes:
- Username and password request
- Authentication and authorization
Although it is possible to use other servlets, the default engine is Tomcat. Configuration is done in
Magnolia uses Sun's JAAS for security. This separates the process by which a user name and password are requested from the process that authenticates and authorizes them.
JAAS can be configured in the WEB-INF/config/jaas.config file. The configuration can be set up differently on other servlet engines than Tomcat which is the default Magnolia servlet engine. The default configuration for the WEB-INF/config/jaas.config
file is:
Code Block |
---|
magnolia { info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; }; |
This The default configuration uses two classes:
- one
...
- for user login and password authentication, and
- one for authorization of user and password.
Each of these classes extend:extends
Javadoc | ||||
---|---|---|---|---|
|
Login Procedure
To show you how login works in Magnolia, we have used a simplified login procedure. Assume The following (simplified) login procedure assumes you have two JAAS modules configured (red and green).
If you login to Magnolia by filling out the login form:
When a user logs in to Magnolia CMS, all configured JAAS modules try to authenticate the user by calling the login() method.
The method
...
throws
...
an
LoginException
...
if the login fails authentication. Since
providesJavadoc info.magnolia.jaas.sp.AbstractLoginModule info.magnolia.jaas.sp.AbstractLoginModule
...
the
login()
...
method, a JAAS module only has to implement a validateUser() method
...
.
- After the user is successfully authenticated,
...
- the
commit()
method of
...
- each JAAS module is called.
login()
The two default JAAS modules have different tasks.
The The login()
authentication method of
Javadoc | ||||
---|---|---|---|---|
|
This first module is mandatory. The second module's login authorization method is only called if the user has been properly verified. Therefore the login() authorization method ofof
Javadoc | ||||
---|---|---|---|---|
|
commit()
The The commit()
method includes the values from both authentication and authorization. The authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.
Example
Assume that you want to store users outside of Magnolia, for example in LDAP or a database. If a user is not available in the external system, the Magnolia user management system will be used. What do we have to implement for this?
User Object
Magnolia uses
...
to represent users stored in the users repository. Since our example users are not going to primarily have representation in the Magnolia repository, we have to create Creating a new user class implementing
Javadoc | ||||
---|---|---|---|---|
|
JAAS Module
...
:
- First create a JAAS module extending:
Javadoc info.magnolia.jaas.sp.jcr.JCRAuthorizationModule info.magnolia.jaas.sp.jcr.JCRAuthorizationModule
...
- .
- Next, extend the following two methods:
Code Block |
---|
public void validateUser() throws LoginException {
this.user = authenticate(this.name, this.pswd);
if (this.user == null) {
throw new FailedLoginException("User not found or password incorrect");
}
if (this.user.getAllGroups() != null) {
this.setGroupNames((Set)this.user.getAllGroups());
}
if (this.user.getAllRoles() != null) {
this.setRoleNames((Set) this.user.getAllRoles());
}
}
public void setEntity() {
EntityImpl user = new EntityImpl();
user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
user.addProperty(Entity.NAME, this.user.getName());
user.addProperty(Entity.PASSWORD, new String(this.pswd));
this.subject.getPrincipals().add(user);
}
|
Even with this modification Note that it is still necessary to implement the authentication method must be implemented as well in order to properly create a User objectobject.
jaas.config
Now we have to add our new Adding the JAAS module to the JAAS configuration. Since we want Magnolia
As Magnolia is to be the secondary user management method used, we put the new module first with the sufficient you have to use the following modifier:
Code Block |
---|
magnolia {
my.project.ExternalJAASModule sufficient;
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
|