Austin Cloud Computing Users Group Meeting Sep 21

The next meeting of Austin’s cloud computing trailblazers is next Tuesday, Sep. 21.  Event details and signup are here.  Some gentlement from Opscode will be talking about cloud security, and then we’ll have our usual unconference-style discussions.  If you haven’t, join the group mailing list!  It’s free, you get fed, and you get to talk with other people actually working with cloud technologies.

Customize Glassfish Authorization Realm

Welcome, I have used google to try to research creating a custom Authorization Realm in Glassfish. This is because the file, jdbc, and certificaterealm did not support the type of authorization under the covers. I needed to be able to use the BASIC Authorization to an OData Producer so that it was a protected resource. The catch was that the username and password needed to be authenticated with a webservice call. It will provide back the level of usability for the role.


This link from sun's blog helped a ton but there were things I felt like left out that did not come to me easily. (Sun Blog Post) There are a few things to consider when creating your custom Realm and login module. The jar library appserv-rt.jar is not provided in any maven repository. So create a maven project and add the jar to the src/main/resources folder of the project and use the system to specify the path.
Add this dependency entry to your pom.xml file:

<dependency>
            <groupId>com.sun</groupId>
            <artifactId>appserv-rt</artifactId>
            <scope>system</scope>
            <version>9.1</version>
            <systemPath>${basedir}/src/main/resources/appserv-rt.jar</systemPath>
</dependency>

Now that you have the dependency that you need you can create a new class that extends com.sun.appserv.security.AppservRealm. Override the init, getGroupNames, getAuthType. The init method should set up the webservice port needed to make a call. I included an authorization function that takes a username and password and calls the login function or throws a LoginException if it fails.


Next create a second class that extends com.sun.appserv.security.AppservPasswordLoginModule. Override the authenticateUser method. There are a few protected fields that are useful from this parent class including _logger, _username, _password, and _currentRealm. The username and password are what the user enters. the current Realm should be your custom Realm you created before so you may have some logic to verify it is an instance of the custom Realm and then Cast to the custom Realm. once Casted to the Realm then you I call the authorization function and pass it the username and password from the LoginModule and it returns a String[] of groups the user has available. These groups and can any names you want and at the end call commitUserAuthentication(groups).


Compile this jar and put the file in the glassfish/lib folder.
Then configure your domain/config/login.conf file and add something similar:


myCustomRealm {
com.package.path.to.CustomLoginModule required;
};

Reboot glassfish and then goto the admin control panel. Configuration->Security->Realms create New Realm. Name it mycustom-realm or what ever. Choose to enter your custom Realm class with the full package name to the class.

Then add an additional property
name = "jaas-context" and the
value = "myCustomRealm".
This value is the same as entered in the login.conf file.

Hopefully this helps anyone out there struggling like I was. 


Here are some useful links that I referenced.

• http://docs.sun.com/app/docs/doc/820-4496/fvyme?a=view
• http://blogs.sun.com/nasradu8/entry/loginmodule_bridge_profile_jaspic_in
  
• http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
• http://blogs.sun.com/foo/entry/mort_learns_jdbc_realm_authentication
• http://tamastarjanyi.blogspot.com/2008/10/glassfish-custom-login-module-and-realm.html