Writing a Custom Authentication Module for Convergence

Writing a Custom Authentication Module for Convergence

Sun Convergence server provides an interface that enables you to create custom user authentication in the form of a customizable Java-based authentication module. The custom authentication module allows an organization to use a non-Sun LDAP mechanism (for example, an RDBMS, flat-text file or third-party LDAP server) to provide authentication functionality.

Note
By default, Convergence uses Sun Java System Directory Server for authentication store. For information about administering the default authentication feature, see Authentication

Basic Concepts

This section defines the terms used in this article. In addition to this, this section also describes the authentication framework architecture and its components.

The following are the definitions of terms used in this article:

Convergence uses the following repositories to store user data. They are:

  • User Authentication Store:Contains user credentials. Such as user id, password, domain information, and an unique identifier to identify the user in the User or Group LDAP store.
  • User/Group LDAP Store (UG LDAP): Contains user preferences such as timezone that the user is in, language preference, and user theme. Convergence uses Schema 1 or Schema 2 to store user information in the User or Group LDAP.

Convergence Authentication Framework

This section describes how the authentication framework works in Sun Convergence.

  1. The authentication module first authenticates the user in the authentication store using the configured authentication module. The default authentication module that works by default is Sun Java System Directory Server.
  2. On successful authentication, the authentication module gets the user specific attributes like user id, the domain of the user, organization, and a unique identifier.
  3. The authentication framework loads the user from the User Group LDAP using the user id (userID) and domain name (userDomain).

Contracts Defined by the Authentication Module

Before designing a solution for the custom authentication module, you must be aware of the contracts that the Convergence authentication framework needs for successful transfer of information between the authentication store, the Convergence authentication framework, and UG LDAP.

  • The authentication module must provide a mechanism to identify a user in the UG LDAP after successful authentication. The custom authentication can have any authentication store that can use any type of identifier to authenticate the user. The authentication mechanism should provide a relationship between the authenticated user and UG LDAP. After successful authentication, the authentication module should provide a unique identifier to locate the user in the UG LDAP. For example, if both authentication store and UG LDAP use the same identifier to locate the user, after successful authentication, the authentication module must set userID and userDomain parameters in the HTTP request by using callback handler objects. These parameters are used by UG LDAP filter to load the user from the UG LDAP. In our example, the user id (example scott) is the unique identifier used to locate the user in UG LDAP.
  • All the custom authentication modules must implement the following three classes:
    • JAAS LoginModule interface. Convergence uses JAAS LoginModule as an interface for all its login modules. The custom authentication module must implement this interface. Although the authentication module uses the JAAS framework for authentication, it does not use all the advanced capabilities like authentication chaining, and multiple login modules.
    • HttpCallbackHandler. An abstract class that implements the CallbackHandler of JAAS. This class must be implemented to handle custom callbacks. All custom authentication modules must implement this class to handle custom callbacks.
    • Convergence uses the JAAS LoginCallback and CallbackHandler interface to get and set information between the authentication module and Convergence application. Since Convergence is a web application, authentication is performed through HTTP based request and response. Convergence provides an abstract class: HttpCallbackHandler, which implements CallbackHandler interface of JAAS.
  • After successful authentication, the authentication module must set the UserPrincipal object in the Subject. This can be done in commit method of login module. UserPrincipal must be created using loginID of the user.
  • Custom authentication modules must not create HTTP session(HTTPSession) object. Convergence authentication framework takes care of initializing the session.

About the Sample Application

This article describes the various files that are created for the custom authentication module to work. Use this as a reference to create other custom authentication modules to suite your enterprise' needs. The sample authentication module can be used as is by copying the source files and following the steps as mentioned in the following sections.

Caution
If you need to change the core class file names provided in this article, note that you must appropriately refractor the code. Some of the files use objects created by other core classes of the custom authentication module.

This example describes an authentication module for a file based user data store. The following is a sample set of data that could be used to store user information in the data store.

userinfo.txt
smith:test:siroe.com
jack:test:siroe.com
scott:test123:siroe.com

In the example, each attribute is separated by a colon. For example, the first record of the file provides information about the user id smith whose password is test with domain siroe.com.

Implementing the classes Required for the File base Authentication Store

This section describes the classes that  are used to implement the authentication module for a file based user store. The following are the core class:

1. SunTestLoginModule.java
2. SunTestAuthCallBack.java
3. AppTestCallbackHandler.java

SunTestLoginModule.java
package com.sun.comms.test;

import com.sun.comms.client.logging.IwcLogger;
import com.sun.comms.client.security.auth.UserPrincipal;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.commons.logging.Log;
import com.sun.comms.test.SunTestAuthCallBack;

public class SunTestLoginModule implements LoginModule {

    private Subject subject;
    private CallbackHandler cbh;
    private Map sharedState;
    private Map options;
    private boolean succeeded;
    private UserPrincipal up;
    private SunTestAuthCallBack mcb = null;
    private String credFile = "";
    private final static Log logger = IwcLogger.getLogger(IwcLogger.AUTH_LOGGER);

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
        this.subject = subject;
        this.cbh = callbackHandler;
        this.sharedState = sharedState;
        this.options = options;
        credFile = (String) options.get("CredentialFile");
    }

    public boolean login() throws LoginException {
        Callback[] callbacks = new Callback[1];
        mcb = new SunTestAuthCallBack();
        callbacks[0] = mcb;

        if (cbh == null) {
            throw new LoginException("Error: no CallbackHandler available " +
                    "to gather authentication information from the user");
        }

        try {
            // Get userid and pwd from request
            cbh.handle(callbacks);
        } catch (Exception ex) {
            throw new LoginException("SunTestLoginModule: login failed");
        }

        String[] userInfo = attemptLogin();

        if (userInfo != null && userInfo.length==3) {
            mcb.setUserInfo(userInfo[0], userInfo[2]);
            succeeded = true;
            return true;
        } else {
            System.err.println("Unable to find user entry");
            throw new FailedLoginException("Unable to find user entry");
        }
    }

    private String[] attemptLogin() throws LoginException {

        if(credFile==null)
            throw new LoginException("User database file is not set configuration.");

        File loginFile = null;
        String userID = mcb.getUserName();
        String userPwd = mcb.getUserPwd();

        if (userID == null || userPwd == null) {
            throw new LoginException("Required user credential not found");
        }

        try {
            loginFile = new File(credFile);
            if (loginFile.exists()) {

                BufferedReader reader = new BufferedReader(new FileReader(loginFile));
                String userEntry = null;
                while ((userEntry = reader.readLine()) != null) {
                    String[] usrAcc = userEntry.split(":");
                    if (usrAcc != null && usrAcc.length == 3) {
                        if (userID.equals(usrAcc[0]) && userPwd.equals(usrAcc[1])) {
                            return usrAcc;
                        }
                    }
                }

            } else {
                System.err.println("Unable to find user database file " + credFile);
                throw new LoginException("Unable to find user database file " + credFile);
            }
        } catch (IOException ex) {
            System.err.println("Unable to load user database file " + credFile);
            throw new LoginException("Unable to load user database file " + credFile);
        }
        return null;
    }

    public boolean commit() throws LoginException {
        if (succeeded == false) {
            return false;
        } else {
            // add a Principal (authenticated identity) to the Subject
            UserPrincipal userPrincipal = new UserPrincipal(mcb.getUserName());

            if (!subject.getPrincipals().contains(userPrincipal)) {
                subject.getPrincipals().add(userPrincipal);
            }
        }
        return true;
    }

    public boolean abort() throws LoginException {
        return true;
    }

    public boolean logout() throws LoginException {
        return true;
    }
}
SunTestAuthCallBack.java

package com.sun.comms.test;

import com.sun.comms.client.security.auth.LoginCallback;
import java.io.Serializable;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


public class SunTestAuthCallBack implements LoginCallback, Serializable {

    HttpServletRequest req;
    HttpServletResponse res;
    String username = null;
    String pwd = null;

    protected String name = null;
    protected String host = null;
    protected String user = null;
    protected String userDomain = null;
    protected Locale locale = null;
    protected String serverName = null;

    SunTestAuthCallBack(){

    }

    public void setData(HttpServletRequest request,HttpServletResponse response){
        this.req = request;
        this.res = response;
        username = (String)req.getParameter("username");
        pwd = (String)req.getParameter("password");


    }

    public String getUserName(){
        return username;
    }

    public String getUserPwd(){
        return pwd;
    }


    public void setUserInfo(String uid,String domain){
        req.setAttribute("loginID", uid);
        req.setAttribute("userDomain", domain);
    }

    public boolean setData(Object obj) {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    public Locale getLocale() {

      if (locale == null)
          return Locale.getDefault();

        return locale;
    }

    /**
     * set the client locale
     */

    public void setLocale(Locale locale) {
        if (locale != null)
            this.locale = locale;
    }

    /**
     * get the host name of the machine running the console.
     * this may be required for auditing purposes
     */

    public String getHost() {

	if (host == null) {
	    try {
                host = InetAddress.getLocalHost().getHostName();
            } catch (UnknownHostException ukhe) {
		host = null;
            }
	}

        return host;
    }

    /**
     * set the host name of the machine
     */

    public void setHost(String host) {
        if (host != null)
            this.host = host;
    }

}
AppTestCallbackHandler.java
package com.sun.comms.test;

import com.sun.comms.client.logging.IwcLogger;
import com.sun.comms.client.security.auth.modules.HttpCallbackHandler;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.commons.logging.Log;
import com.sun.comms.test.SunTestAuthCallBack;


public class AppTestCallbackHandler extends HttpCallbackHandler {
    private final static Log logger = IwcLogger.getLogger(IwcLogger.AUTH_LOGGER);
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        if (callbacks == null) {
	    throw new IOException("Empty or null callback array");
	}

	for (int i = 0; i < callbacks.length; i++) {
             if (callbacks[i] instanceof SunTestAuthCallBack ) {
                SunTestAuthCallBack nc = (SunTestAuthCallBack)callbacks[i];
                nc.setData(request, response);
                System.err.println("request and response set in AppTestCallbackHandler");
             }else
             	System.err.println("Callback objects are not instance of SunTestAuthCallBack");
        }
    }

}

How the implementation works

For every authentication request, the Convergence authentication framework reads the configured login module class name, call back handler class name and executes it using JAAS framework.

The JAAS framework calls the initialize() method by passing all the required arguments. One of the arguments we are interested here is the Map option of the initialize() method. Convergence' authentication framework populates this object with all Misc parameters of CustomJAASService configuration.

In this example, we pass the directory location of user database CredentialFile as part of Misc parameter to SunTestLoginModule.
The other arguments are:

  • Subject subject - represents Subject that is being authenticated.
  • CallbackHandler callbackHandler - Object that is responsible for handling custom callbacks.
  • Map sharedState - Not used by Convergence and hence ignore it.

After successful initialization, the login module obtains all the required information about the callback handler and all the required configuration. The JAAS framework then invokes the login() method. This method performs the authentication, which is module specific. In this sample, login() method first creates callback object(s):

Callback[] callbacks = new Callback[1];
mcb = new SunTestAuthCallBack();

The call back object is aware of how to obtain the authentication related information such as the username, password, and so on. This is returned as a HTTP request. Once call back objects are created, it passes callback objects to CallBackHandler's handle method.

cbh.handle(callbacks);

callbackhandler knows how to handle call back objects. For example, the method used for callback object, the data to be passed to it, and so on.

the handle() method of callback handler then calls callback object's setData() by passing request and response objects:

SunTestAuthCallBack nc = (SunTestAuthCallBack)callbacks[i];
nc.setData(request, response);

Now, the Callback's setData() extracts the required information from request and response. In this sample, it gets request parameter username and password from request.

this.req = request;
    this.res = response;
    username = (String)req.getParameter("username");
    pwd = (String)req.getParameter("password");

The callback object now has all information that is required to authentication the user from the HTTP request. Now login method() calls an internal method attemptLogin(). This method obtains login information from the callback object:

String userID = mcb.getUserName();
        String userPwd = mcb.getUserPwd();

and loads the user database file and performs authentication. If authentication is successful this method returns String array with userID and userDomain, which is identifier to locate user in UG LDAP:

If attemptLogin() method is successful, login() method sets userID and userDomain info back into HTTP request by calling callback object's setUserInfo() method:

mcb.setUserInfo(userInfo[0], userInfo[2]);

Here, userInfo[0] is unique identified to locate user in UG LDAP. For example, uid and userInfo[2] is domain/organization name in UG LDAP under which user entry is available. This method sets this information as parameters in the HTTP request attribute:

public void setUserInfo(String uid,String domain){
        req.setAttribute("loginID", uid);
        req.setAttribute("userDomain", domain);
    }

The authentication framework uses the loginID and userDomain to get the information from the request. All custom modules must use same names for these parameters. This is mandatory for Convergence' authentication framework.

and login() method returns true.
Now JAAS framework will call commit() method of LoginModule,where UserPrincipal object is populated into authenticated Subject object. This is mandatory for Convergence' authentication framework.

UserPrincipal userPrincipal = new UserPrincipal(mcb.getUserName());

    if (!subject.getPrincipals().contains(userPrincipal)) {
         subject.getPrincipals().add(userPrincipal);
    }

Here, UserPrincipal object takes userName of the user, which is nothing but unique identifier used to locate user entry in UG LDAP.

On successful completion of the commit() method, the control goes back to Convervgence' authentication framework. This step marks the end of the authentication process. The authentication framework now has all the required information like: loginID, userDomain and authenticated Subject with UserPrincipal objects. The Convergence authentication framework then loads the user from the UG LDAP.

Compiling the sample custom module

Caution
If you need to change the core class file names provided in this article, note that you must appropriately refactor the code. Some of the files use objects created by other core classes of the custom authentication module.
Note
The paths used in the following example may differ for your installation
  1. Create /com/sun/comms/test directory under /<some_dir>.
    Note
    The JAR file must be created by following the Java packaging layout rules. For example, the classes in this sample are packaged as com.sun.comms. So the Java files must be copied under the directory structure :com/sun/comms.
  2. Copy the sample code provided earlier into the files AppTestCallbackHandler.java,SunTestAuthCallBack.java, and SunTestLoginModule.java under /<some_dir>/com/sun/comms/test directory.
  3. Compile the java class files. 
    # cd /<some_dir>/com/sun/comms/test
# javac -classpath /opt/sun/comms/iwc/web-src/server/WEB-INF/lib/iwc.jar:/opt/sun/comms/iwc/web-src/server/WEB-INF/lib/commons-logging-api-1.1.jar:/opt/SUNWappserver/lib/javaee.jar  
AppTestCallbackHandler.java SunTestAuthCallBack.java SunTestLoginModule.java
  4. Create a JAR archive. 
    cd /<some_dir>
#jar -cvf SunTestLogin.jar com
    Note

    If your custom authentication module requires any additional jar files or classes, these must be bundled along with the jar file.

  5. Add the JAR file to deployed Convergence's libraries using Application Server's asadmin command. 
    asadmin set server.applications.web-module.Convergence.libraries=<path-of-customAuth-jar-file>
    Note
    The custom authentication module must be on the system that can be accessed by Application Server. It is best to place the JAR archive on a location outside of the Convergence installation or deployed directories. To know more see Application-Specific Class Loading in the Sun Java System Application Server 9.1 Developer's Guide.

Configuring the Sample Custom Authentication Module

This section describes the steps to configure the custom authentication module with Convergence. Since this example comes bundled with Convergence server, all you need to do to use this is to configure Convergence by setting the appropriate configuration parameters. The following are the instructions to enable the custom authentication module to use a file based authentication store.

  1. Set the auth.custom.service name parameter in Convergence to indicate that a custom authentication module is being used. 
    ./iwcadmin -w <admin_password> -o auth.custom.servicename -v "JAAS_CUSTOM"
  2. Set the auth.custom.loginimpl parameter to the login module implementation created for custom authentication module. 
    ./iwcadmin -w <admin_password> -o auth.custom.loginimpl -v "com.sun.comms.test.SunTestLoginModule"
  3. Set the auth.custom.callbackhandler parameter to the custom callback handler used for the custom authentication module. 
    ./iwcadmin -w <admin_password> -o auth.custom.callbackhandler -v "com.sun.comms.test.AppTestCallbackHandler"
  4. Set the auth.misc.CredentialFile parameter to the directory where the authentication store is available. In this case, the authentication store is a file.
    "Note"
    Here, the value of auth.misc.CredentialFile is case sensitive. While reading these parameters inside custom authentication module the name should match the configuration.
./iwcadmin -w <admin_password> -o auth.misc.CredentialFile -v "/var/opt/SUNWiwc/config/userinfo.txt"

If you have created a custom authentication module for a different authentication store, you must follow the steps described below to enable the authentication module to work with Convergence.

  1. Compile the custom authentication module source files and bundle them as a Java archive. See Compiling the sample custom module.
  2. Configure Convergence to use the custom authentication module by using the steps in section Configuring the sample custom module. See
    1. Set the auth.custom.service configuration parameter to "JAAS_CUSTOM".
    2. Set the auth.custom.loginimpl configuration parameter to the custom login module implementation of the authentication module
    3. Set the auth.custom.callbackhandler to the call back handler of the custom authentication module.
    4. Set any miscellaneous parameters that you have used for your custom authentication module by setting the auth.misc configuration parameter.
  3. Deploy the custom module. See Deploying the Authentication Module in Application Server.

Deploying the Authentication Module in Application Server

Since the authentication module is in application server's classpath, restart the applicaiton server so that the module is updated in Application Server's classpath.

  1. Restart application server. 
    # /opt/SUNWappserver/bin/asadmin stop-domain domain1
# /opt/SUNWappserver/bin/asadmin start-domain domain1

Debugging and Troubleshooting the Custom Authentication Module

This section provides instructions on how to debug and troubleshoot the authentication module. For more information on debugging, see Troubleshooting Sun Convergence.

  1. Set Convergence logging to DEBUG level. 
    # ./iwcadmin -w <admin_password> -o log.AUTH.level -v DEBUG
  2. Restart the application server. 
    # /opt/SUNWappserver/bin/asadmin stop-domain domain1
# /opt/SUNWappserver/bin/asadmin start-domain domain1
  3. Use the tail command to see the log messages generated. 
    # tail -f /var/opt/sun/comms/iwc/logs/iwc.log

Disabling the Custom Authentication Module

To change the custom authentication module to the default authentication module (LDAP) run following command.

./iwcadmin -w <admin_password> -o auth.ldap.enable -v true

Restart the application server to ensure that the changes take effect in your deployment.

# /opt/SUNWappserver/bin/asadmin stop-domain domain1
# /opt/SUNWappserver/bin/asadmin start-domain domain1

Summary

This section provides a recap of how to create a custom authentication module.

  • Every custom authentication module should implement the following three classes:
    o A class that implements LoginModule interface
    o A class that extends HttpCallBackHander class
    o A(set of) class that implements CallBack interface
    o If your custom authentication module requires other classes that are specific to your implementation of the authentication module, the classes must be implemented.
  • The iwc.jar should be there in classpath, while developing custom authentication module as it uses few Convergence specific classes like HttpCallBackHandler and UserPrincipal.
  • As a best practice, it is good to bundle all dependent classes in a jar file. These should be made available in the web container's class path.
  • Implementation of LoginModule interface and HttpCallBackHander class needs to be configured using the command line interface.
  • Any additional configuration specific to custom authentication module can be configured as Misc parameter using CLI
  • The custom authentication module must set two HTTP request attributes, userid and userDomain after successful authentication.
  • The userDomain must be a valid domain entry in UG LDAP under which, Convergence can uniquely locate user entry by using user id as an identifier.
  • The custom authentication module must create UserPrincipal object using userid and set it in Subject after successful authentication.

References

Schema Reference Guide
JAAS tutorial

Labels

convergence convergence Delete
customizing customizing Delete
authentication authentication Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (21)

 

  1. Apr 23, 2008

    Greg.Kimura says:

    Nice work here. The one thing I think would be useful is more context. What is...

    Nice work here. The one thing I think would be useful is more context.

    What is a pluggable authentication module and what problem does it solve? Why would someone want to do this?

    1. Apr 25, 2008

      Balamurugan.k says:

      As mentioned in the document. While end user logs into convergence, it uses conf...

      As mentioned in the document. While end user logs into convergence, it uses configured authentication module to authenticate the user.

      Sun Convergence has inbuilt authentication modules Sun LDAP authentication and Sun AM authentication modules. Any one of them can be configured as authentication mechanism.

      But, if a customer choose to use a different authentication mechanism other than what is shipped by default. Then they can write custom authentication mechanism. This document explains how to write such authentication mechanism for Sun Convergence.

  2. Jul 28, 2008

    jessethompson says:

    This is awesome, thanks! Can you add more information on how to deploy the ...

    This is awesome, thanks!

    Can you add more information on how to deploy the modules? i.e., where to put the files, how to compile, how to refresh the app server, etc. I'm not an experienced Java developer, so this isn't obvious to me yet    I know that ultimately I should be loading this up in an IDE (maybe you can add those instructions too ) but documenting the manual process to get this example working would be helpful.

    1. Apr 28, 2008

      Balamurugan.k says:

      I guess you are using convergence beta release. This document is meant for RR or...

      I guess you are using convergence beta release. This document is meant for RR or Final release.

  3. Jul 29, 2008

    jessethompson says:

    The example worked out of the box. Now, I want to modify it to suit our environ...

    The example worked out of the box. Now, I want to modify it to suit our environment. However, any change I make does not seem to take effect.

    Update:

    This example does not work... it appears that something similar is bundled with the application, so I assumed that this example worked, when in fact it did not. 

    1. Jul 29, 2008

      Balamurugan.k says:

      Hope you are using RR ( Released ) binaries. Did you give proper login module c...

      Hope you are using RR ( Released ) binaries.
      Did you give proper login module class name and callback class name in configuration.
      Make the auth log level as DEBUG and see what is being logged when you try to login.

      --Bala

      1. Jul 29, 2008

        jessethompson says:

        Yes, using released binaries. I followed the instructions on this page, so I as...

        Yes, using released binaries.

        I followed the instructions on this page, so I assume that the instructions used the correct login module class name and callback class name; otherwise, yes, they appear to be correct.

        I did set it to DEBUG, and that is how I verified out that my changes weren't taking effect.

        Your instructions for deploying the module are incomplete. Do I need to run any addition commands? What about config-rewar?

  4. Jul 29, 2008

    jessethompson says:

    Does this error mean that it can't find the class, or that there is something wr...

    Does this error mean that it can't find the class, or that there is something wrong with the class? The class compiles with no warnings and no errors. A complete stack trace for the error would be helpful, otherwise tell me what I should be doing differently.

    AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 10:56:23,637 - SSO is disabled 
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 10:56:23,639 - Subject not found in session, creating one 
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 10:56:23,641 - Unabled to load the class due to com.sun.comms.client.security.auth.WiscAppSampleCallbackHandler 
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 10:56:23,645 - Unable to instantiate callback handler  
AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 10:56:23,647 - Failed to Login the user: Unable to instantiate callback handler  
PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 10:56:23,648 - Protocol Error while login : Unknown Reason

  5. Jul 29, 2008

    jessethompson says:

    How do you remove the module and go back to the default? I tried to unset the o...

    How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect

    sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
sudo /opt/SUNWappserver/bin/asadmin stop-appserv
sudo /opt/SUNWappserver/bin/asadmin start-appserv

    AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled 
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one 
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to  
AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler  
AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler  
PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

    1. Jul 29, 2008

      nileshp says:

      Hi Jesse, Thanks a lot for your comments. I've passed this on to the engineer...

      Hi Jesse,
      Thanks a lot for your comments. I've passed this on to the engineers who have helped me write this document. I'll get back to you ASAP.

      And thanks for your contributions to this article.

      Nilesh

    2. Jul 31, 2008

      nileshp says:

      Hi Jesse, We have updated the wiki page with more instructions. Please let us...

      Hi Jesse,
      We have updated the wiki page with more instructions. Please let us know if this helps.

      Nilesh

      1. Aug 11, 2008

        jessethompson says:

        Nope...still unable to get the application server to find the classes. See: ht...

        Nope...still unable to get the application server to find the classes. See:

        http://forums.sun.com/thread.jspa?messageID=10372405

        1. Sep 09, 2008

          DNReddy says:

          Add JAR file to Convergence libraries using Application server admin command asa...

          Add JAR file to Convergence libraries using Application server admin command
          asadmin set server.applications.web-module.Convergence.libraries=<path-of-customAuth-jar-file>

          1. Sep 18, 2008

            jessethompson says:

            Yes, that did the trick. Thank you!!!!!!

            Yes, that did the trick. Thank you!!!!!!

  6. Oct 15, 2008

    hadya says:

    I need to integrate this with Radius authentication. Can someone suggests how I ...

    I need to integrate this with Radius authentication. Can someone suggests how I can tweak this module to do.

    -Sri

    1. Oct 16, 2008

      Balamurugan.k says:

      It is straight forward as mentioned in the document. The document contains step-...

      It is straight forward as mentioned in the document. The document contains step-by-step instructions to write custom auth module. It is better to go through the documentation completely before you want to try something.

      You can use any Radius java API to achieve this. One of the Important requirement is to link the user in Radius user data store and Convergence user data store ( UG LDAP ). One way to achieve this is use same user identifier in both the data store. e.g. if a user's identity in Radius data store is hadya use the same identity ( uid=handy) in Convergence user data store (UG LDAP). Same way user's organization/domain information needs to be passed to authentication frame work to load the right user info from Convergence user data store.

      Have a look at SunTestLoginModule's attemptLogin() method that does the actual authentication, which you can modify to suite your requirement.

  7. Oct 16, 2008

    hadya says:

    Hi, I created the files as per the instruction and added all required entries. ...

    Hi,

    I created the files as per the instruction and added all required entries. I am still getting following errors. My Path seems to be correct.

    1. /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /gcs/app/mail/as70/.password_admin server.applications.web-module.Convergence.libraries
      server.applications.web-module.Convergence.libraries = /opt/SUNWappserver/domains/domain3/docroot

    /opt/sun/comms/iwc/sbin/iwcadmin -u admin -w xxxx -o auth.misc.CredentialFile auth.misc.CredentialFile = /opt/SUNWappserver/domains/domain3/docroot/userinfo.txt
    root@cerium:#ls /opt/SUNWappserver/domains/domain3/docroot/userinfo.txt
    /opt/SUNWappserver/domains/domain3/docroot/userinfo.txt
    root@cerium:#cat /opt/SUNWappserver/domains/domain3/docroot/userinfo.txt
    test1:test:mailtest.apple.com
    test2:test:mailtest.apple.com
    hadya:test123:mailtest.apple.com
    root@cerium:#

    #tail -f iwc.log
    AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-0 at 12:10:39,423 - Subject not found in session, creating one
    AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-0 at 12:10:39,427 - Unabled to load the class due to com.sun.comms.test.AppTestCallbackHandler
    AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-80-0 at 12:10:39,430 - Unable to instantiate callback handler
    AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-0 at 12:10:39,432 - Failed to Login the user: Unable to instantiate callback handler
    PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate Thread httpSSLWorkerThread-80-0 at 12:10:39,435 - Protocol Error while login : Unknown Reason

  8. Oct 16, 2008

    hadya says:

    Adding the Jar file name did the trick. #/opt/SUNWappserver/bin/asadmin get --...

    Adding the Jar file name did the trick.

    #/opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /gcs/app/mail/as70/.password_admin server.applications.web-module.Convergence.libraries
    server.applications.web-module.Convergence.libraries = /opt/SUNWappserver/domains/domain3/docroot/SunTestLogin.jar

    1. Oct 16, 2008

      Balamurugan.k says:

      Have you modified the code to use Radius authentication? Is it working? Please c...

      Have you modified the code to use Radius authentication? Is it working? Please confirm.

      Thanks
      -Bala

  9. Feb 12, 2009

    jessethompson says:

    Is there a way to have it fall back on normal LDAP authentication? So, for exam...

    Is there a way to have it fall back on normal LDAP authentication?

    So, for example, if the user is in the loginFile, then authenticate the password using the password in the file, otherwise authenticate the password with LDAP normally.

    1. Feb 12, 2009

      DNReddy says:

      No, only one authentication mechanism can be configured for Convergence

      No, only one authentication mechanism can be configured for Convergence

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact