1 Reply Latest reply on Jun 7, 2012 6:44 AM by YogeshUpadhyay

    JAAS Custom LoginModule in CQ (ninja)

    Roland Ringgenberg (SC)

      Hi,

       

      We still have some ideas what we can try, but maybe someone here can point us into the right direction already.

       

       

      We have troubles to configure CQ 5.5 to do authorization using our custom JAAS LoginModule.

      Following steps we did:

       

      1) Write a JAAS Configuration file

       

      Our JAAS is really simple:

       

      com.day.crx {

        com.day.crx.core.CRXLoginModule sufficient;

        ch.nevis.ninja.tomcat.auth.NinjaTomcatLoginModule required

        NevisSignerCertificate="/path/to/signer.pem"

        RoleGetters=ch.nevis.ninja.commons.mapping.TokenRoleGetter;

      };

       

       

      2) Disabled the default LoginModule configuration in the repository.xml configuration file (as documented):

       

      <!--

         Use LoginModule authenticating against repository itself

         <LoginModule class="com.day.crx.core.CRXLoginModule">

           <param name="anonymousId" value="anonymous"/>

           <param name="adminId" value="admin"/>

           <param name="disableNTLMAuth" value="true"/>

           <param name="tokenExpiration" value="43200000"/>

      </LoginModule>

      -->

       

      When we start CQ with command [0] (see further down) we see in the log file that the JAAS configuration is successfully loaded:

       

      1. 06.06.2012 09:54:15.053 *INFO* [FelixStartLevel] org.apache.jackrabbit.core.DefaultSecurityManager init: use JAAS login-configuration for com.day.crx

       

      But when we access CQ, we get the warning [1]: CQ is not able to locate our LoginModule class.

       

      We tried two ways to provide the LoginModule class:

       

      1) add the library jars to the java classpath at the server start (see start command [2])

      2) pack our jars in an OSGI bundle, install it in the OSGI console with start level 10 and the "start bundle" flag set.

       

      Our bundle (ninja) seems to be correctly started; in the logs we found these two lines:

      1. 06.06.2012 09:54:08.486 *INFO* [FelixDispatchQueue] ninja BundleEvent RESOLVED
      2. 06.06.2012 09:54:08.486 *INFO* [FelixDispatchQueue] ninja BundleEvent STARTED

       

       

      Unfortunately in both cases we get the warning [1].

       

      Does somone here has an idea what we miss or better, what we do wrong providing our custom login module to CQ? Looks like Felix loaded the class properly, but jackrabbit cannot find it.

       

      Thx.

      Andrea & Roland

       

       

      ------------------------------- Commands -----------------------------------

       

      [0] java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true

      -Dsling.run.modes=author

      -Djava.security.auth.login.config=/path/to/jaas.conf -jar

      app/cq-quickstart-5.5.0-SNAPSHOT-standalone.jar start -c . -i launchpad

      -p 4502

       

      [1] 06.06.2012 10:02:31.793 *WARN* [127.0.0.1 [1338969751747] GET

      /libs/cq/core/content/login/images/productlogo.png HTTP/1.1]

      • org.apache.jackrabbit.core.SessionImpl failed to logout current subject:

           unable to find LoginModule class:

           ch.nevis.ninja.tomcat.auth.NinjaTomcatLoginModule

       

      [2] java -server -Xmx1024m -XX:MaxPermSize=256M -Djava.awt.headless=true

      -cp

      jcan-commons.jar:jcan-log.jar:jcan-sectoken.jar:log4j-1.2.14.jar:ninja-commons.jar:ninja-t omcat.jar

      -Dsling.run.modes=author

      -Djava.security.auth.login.config=/path/to/jaas.conf -jar

      app/cq-quickstart-5.5.0-SNAPSHOT-standalone.jar start -c . -i launchpad

      -p 4502