Details

    • Type: Sub-task Sub-task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1.5, 2.2.1, 3.0.0
    • Component/s: None
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      login module for spnego support

      1. SpnegoLoginModule.java
        5 kB
        Ashish Jain
      2. SpnegoLoginModule.java_updated
        12 kB
        Ashish Jain

        Activity

        Hide
        Ashish Jain added a comment -

        Login module implementation for Spnego.

        Show
        Ashish Jain added a comment - Login module implementation for Spnego.
        Hide
        Ashish Jain added a comment -

        Update version of spnego login module which takes care of adding group principal. The group information is retrieved from Active Directory server.

        Show
        Ashish Jain added a comment - Update version of spnego login module which takes care of adding group principal. The group information is retrieved from Active Directory server.
        Hide
        Ivan added a comment -

        Hi, Ashish :
        One thing I want to confirm is that
        --->
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null)

        { log.debug("Failed to create a GSSContext"); }

        else {
        }
        <---
        From the meaning of return value of the LoginModule, false means that it should be ignored. In the codes, if it failed to create the context, it would return false, so is it expected ? It is just in terms fo LoginModule implementation.
        BTW, I am not familiar with the details of Spnego mechanism. If any expert could review the patch too, that would be better !

        Show
        Ivan added a comment - Hi, Ashish : One thing I want to confirm is that ---> GSSContext gContext = manager.createContext(serverCreds); if (gContext == null) { log.debug("Failed to create a GSSContext"); } else { } <--- From the meaning of return value of the LoginModule, false means that it should be ignored. In the codes, if it failed to create the context, it would return false, so is it expected ? It is just in terms fo LoginModule implementation. BTW, I am not familiar with the details of Spnego mechanism. If any expert could review the patch too, that would be better !
        Hide
        Ashish Jain added a comment -

        Hi Ivan,

        yes this is a possible case. In case Spnego authentication fails user can configure the security realm to fallback on an alternative mechanism for eg. PropertiesFileLogin, sqllogin etc..

        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Ivan, yes this is a possible case. In case Spnego authentication fails user can configure the security realm to fallback on an alternative mechanism for eg. PropertiesFileLogin, sqllogin etc.. Thanks Ashish
        Hide
        Ivan added a comment -

        Hi, Ashish:
        If it is used for fallback case, I think it should be handled by control-flag, not in the LoginModule itself. What is your opinion ?
        Thanks !
        Ivan

        Show
        Ivan added a comment - Hi, Ashish: If it is used for fallback case, I think it should be handled by control-flag, not in the LoginModule itself. What is your opinion ? Thanks ! Ivan
        Hide
        Ashish Jain added a comment -

        Hi Ivan,
        The if condition is only to log a message to suggest that there was no gcontext established b/w client/server hence no exchange of data is possible.
        Secondly as you said – the fallback condition is indeed being handled by control-flags which can be defined in a security realm with multiple login module configurations.
        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Ivan, The if condition is only to log a message to suggest that there was no gcontext established b/w client/server hence no exchange of data is possible. Secondly as you said – the fallback condition is indeed being handled by control-flags which can be defined in a security realm with multiple login module configurations. Thanks Ashish
        Hide
        Ivan added a comment -

        Commit the changes to trunk At revision: 919287, 2.2 branch At revision: 919288 and 2.1 branch At revision: 919289.
        Thanks for the patch, Ashish !

        Show
        Ivan added a comment - Commit the changes to trunk At revision: 919287, 2.2 branch At revision: 919288 and 2.1 branch At revision: 919289. Thanks for the patch, Ashish !

          People

          • Assignee:
            Ashish Jain
            Reporter:
            Ashish Jain
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development