From c385810699a2915805bdcdd2d55183f445119d3a Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Fri, 19 May 2006 22:03:41 +0000 Subject: [PATCH] TODO and README for JaasSupport component. --- auth_token/server/JaasSupport/README | 82 ++++++++++++++++++++++++++++ auth_token/server/JaasSupport/TODO | 14 +++++ 2 files changed, 96 insertions(+) create mode 100644 auth_token/server/JaasSupport/README create mode 100644 auth_token/server/JaasSupport/TODO diff --git a/auth_token/server/JaasSupport/README b/auth_token/server/JaasSupport/README new file mode 100644 index 00000000..fae61bc0 --- /dev/null +++ b/auth_token/server/JaasSupport/README @@ -0,0 +1,82 @@ +/*********************************************************************** + * + * README for JaasSupport + * + ***********************************************************************/ + +INTRODUCTION + +CasaLoginModule is a JAAS login module which can be configured +to validate credentials consisting of CASA Authentication Tokens. + +CONFIGURATION + +To use CasaLoginModule for your service, set the java.security.auth.login.config +property to point to the JAAS configuration file for your application. You must +also set the org.xml.sax.driver property to point to an appropriate SAX Parser. +The Xerces SAX Parser is a good option (org.apache.xerces.parsers.SAXParser). + +The JAAS configuration file should include the following line: + +com.novell.casa.jaas.CasaLoginModule Required; + +The CasaLoginModule supports the following parameters: + +PerformUsernameCheck - This parameter when set to true tells the CasaLoginModule +that it must verify that the username is set to "CasaPrincipal". If the parameter +is not specified the username is not checked. + +CLIENT PROGRAMMING NOTES + +Clients must specify the same service name when requesting Authentication +Tokens from the CASA Client as the service name specified by the server +when opening a JAAS Context. + +SERVER PROGRAMMING NOTES + +Server applications validating credentials containing CASA Authentication +tokens can obtain information about the authenticated identity by getting +access to the CasaPrincipal that gets associated with the Subject object +returned from a successful JAAS login. The CasaPrincipal provides the +following information: username, name of the identity data source (realm), +and an URL to the identity data source. The CasaPrincipal also contains +the attributes of the authenticated identity configured as required by the +service in the Authentication Token Service. + +EXAMPLE SERVER APPLICATION + +See src/com/novell/casa/jaas/sample/SampleApp.java for an example application +using JAAS to authenticate credentials consisting of CASA Authentication Tokens. + +Note that to get the application to run you must set the path to the JAAS configuration +file as the JAVA property java.security.auth.login.config. You must also make sure that +the JAVA property org.xml.sax.driver.org is set to a valid SAX parser. The following shows +the JAVA options that you would set to run the test application: -Djava.security.auth.login. +config=/home/user/SampleApp/SampleApp.conf -Dorg.xml.sax.driver=org.apache.xerces.parsers. +SAXParser + +The SampleApp.conf file should have the following contents: + +SampleApp { + com.novell.casa.jaas.CasaLoginModule Required debug=true; +}; + +You must also include the CasaJaasSupport.jar and CasaAuthToken.jar files in the +CLASSPATH of the application. + +SECURITY CONSIDERATIONS + +CASA Authenticatication Tokens when compromised can be used to either impersonate +a user or to obtain identity information about the user. Because of this it is +important that the tokens be secured by applications making use of them. It is +recommended that the tokens be transmitted using SSL. + + + + + + + + + + diff --git a/auth_token/server/JaasSupport/TODO b/auth_token/server/JaasSupport/TODO new file mode 100644 index 00000000..dce480d7 --- /dev/null +++ b/auth_token/server/JaasSupport/TODO @@ -0,0 +1,14 @@ +/*********************************************************************** + * + * TODO for JaasSupport + * + ***********************************************************************/ + +INTRODUCTION + +This file contains a list of the items still outstanding for JaasSupport. + +OUTSTANDING ITEMS + +- Change the username that the login module checks to be CasaPrincipal. +- Change the setting for checking usernames to be PerformUsernameCheck.