Magnolia uses Sun's JAAS for security. This separates the process by which a user name and password are requested from the process that authenticates and authorizes them.

JAAS can be configured in the WEB-INF/config/jaas.config file. The configuration can be set up differently on other servlet engines than Tomcat which is the default Magnolia servlet engine. The default configuration for the WEB-INF/config/jaas.config file is:

magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

This default configuration uses one class for user login and password authentication and one for authorization of user and password.

Each of these classes extend:

Together they provide a powerful framework within which you can implement your own login logic.

Login Procedure

To show you how login works in Magnolia, we have used a simplified login procedure. Assume you have two JAAS modules configured (red and green).

 
If you login to Magnolia by filling out the login form, all configured JAAS modules try to authenticate the user by calling the login() method which throws a {{LoginException }}if the login fails authentication. Since

provides the {{login()}}method, a JAAS module only has to implement a validateUser() method which throws a LoginException if the user cannot be authenticated. If the user could be successfully authenticated, the commit() method of all JAAS modules will be called.

login()*

The two default JAAS modules have different tasks. In the login() method of

it will be verified that the user is vaild, enabled and the password matches. As this module is requisite, the second module's login() method will only be called, if the user has already been validated. Therefore the login() method of

can be implemented empty.

commit()

In the commit() method, the authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.

Example

Assume you want to store users outside of Magnolia, for example in LDAP or a database. If a user is not available in the external system, then we want to use the Magnolia user management. What do we have to implement for this?

User Object

Magnolia uses

to represent users stored in the users repository. As our users do not have a representation in the repository, we have to create a new user class implementing

.

JAAS Module

The simplest way is to create a JAAS module extending

and just override two methods

public void validateUser() throws LoginException {

        this.user = authenticate(this.name, this.pswd);

	if (this.user == null) {
            throw new FailedLoginException("User not found or password incorrect");
        }
	if (this.user.getAllGroups() != null) {
		this.setGroupNames((Set)this.user.getAllGroups());
	}
	if (this.user.getAllRoles() != null) {
		this.setRoleNames((Set) this.user.getAllRoles());
	}
    }
    public void setEntity() {
        EntityImpl user = new EntityImpl();
        user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
        user.addProperty(Entity.NAME, this.user.getName());
        user.addProperty(Entity.PASSWORD, new String(this.pswd));
        this.subject.getPrincipals().add(user);
    }

Of course you have to implement the authenticate method which properly creates a User object.

jaas.config

Now we have to add our new JAAS module to the JAAS configuration. As we want to have the fallback to Magnolia user management, we put the new module first with the sufficient modifier:

magnolia {
  my.project.ExternalJAASModule sufficient;
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};