Magnolia uses Sun's JAAS for security. This allows separation of the way the client is requested for the username and password and the way they are authenticated and authorized.
JAAS can be configured in the WEB-INF/config/jaas.config
file (can be different on other servlet engines as Tomcat). The default configuration is
magnolia { info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; };
which uses on class for authentication and one for authorization.
Each of these classes extend
Login Procedure
To show you how login works in Magnolia, we want to present you a simplified login procedure. Assume you have two JAAS modules configured (red and greed).
If you login to Magnolia by filling out the login form, all configured JAAS modules try to authenticate the user by calling the login()
method which throws a LoginException
if login fails. As
login()
method, a JAAS module only has to implement a validateUser()
method which throws a LoginException
if the user cannot be authenticated. If the user could be successfully authenticated, the commit()
method of all JAAS modules will be called.
login()
The two default JAAS modules have different tasks. In the login()
method of
login()
method will only be called, if the user has already been validated. Therefore the login()
method of commit()
In the commit()
method, the authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.
Example
Assume you want to store users outside of Magnolia, for example in LDAP or a database. If a user is not available in the external system, then we want to use the Magnolia user management. What do we have to implement for this?
User Object
Magnolia uses
users
repository. As our users do not have a representation in the repository, we have to create a new user class implementing JAAS Module
The simplest way is to create a JAAS module extending
public void validateUser() throws LoginException { this.user = authenticate(this.name, this.pswd); if (this.user == null) { throw new FailedLoginException("User not found or password incorrect"); } if (this.user.getAllGroups() != null) { this.setGroupNames((Set)this.user.getAllGroups()); } if (this.user.getAllRoles() != null) { this.setRoleNames((Set) this.user.getAllRoles()); } } public void setEntity() { EntityImpl user = new EntityImpl(); user.addProperty(Entity.LANGUAGE, this.user.getLanguage()); user.addProperty(Entity.NAME, this.user.getName()); user.addProperty(Entity.PASSWORD, new String(this.pswd)); this.subject.getPrincipals().add(user); }
Of course you have to implement the authenticate
method which properly creates a User
object.
jaas.config
Now we have to add our new JAAS module to the JAAS configuration. As we want to have the fallback to Magnolia user management, we put the new module first with the sufficient
modifier:
magnolia { my.project.ExternalJAASModule sufficient; info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; };