Magnolia CMS uses Sun's Java SE Security (JAAS). JAAS creates two distinct processes for:

• username and password request, and
• authentication and authorization.

Although it is possible to use other servlets, the default engine is Tomcat. Configuration is done in WEB-INF/config/jaas.config file:

magnolia {info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;};

The default configuration uses two classes: 

• one for user login and password authentication, and
• one for authorization of user and password.

Each of these classes extend:

You can use this framework to implement your own login logic.

Login Procedure

The following (simplified login) procedure assumes you have two JAAS modules configured:

•   When a user logs in to Magnolia CMS, all configured JAAS modules try to authenticate the user by calling the login() method.

   

• The method throws an LoginException if the login fails authentication. Since

  $webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") AbstractLoginModule
    provides the login() method, a JAAS module only has to implement a validateUser() method. 

• When the user successfully authenticated, the commit() method of each JAAS module is called.

login()

The login() authentication method of

The second module's login authorization method is only called if the user has been properly verified. Therefore the login() authorization method of 

commit()

The commit() method includes the values from both authentication and authorization. The authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.

Example

Generally, when storing users outside of Magnolia CMS (for example in LDAP or a database), if a user is not available in the external system, the Magnolia CMS user management system represent users in the repository:

public void validateUser() throws LoginException {

        this.user = authenticate(this.name, this.pswd);

	if (this.user == null) {
            throw new FailedLoginException("User not found or password incorrect");
        }
	if (this.user.getAllGroups() != null) {
		this.setGroupNames((Set)this.user.getAllGroups());
	}
	if (this.user.getAllRoles() != null) {
		this.setRoleNames((Set) this.user.getAllRoles());
	}
    }
    public void setEntity() {
        EntityImpl user = new EntityImpl();
        user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
        user.addProperty(Entity.NAME, this.user.getName());
        user.addProperty(Entity.PASSWORD, new String(this.pswd));
        this.subject.getPrincipals().add(user);
    }

Even with this modification, it is still necessary to implement the authentication method in order to properly create a User object.

Adding the JAAS module to the JAAS configuration

As we want Magnolia to be the secondary user management method used, we need to put the new module first. To do this, we use the sufficient modifier:

magnolia {
  my.project.ExternalJAASModule sufficient;
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};