JAAS, Securing J2EE Applications: Securing Web Components - 2. Write the CallBackHandler
(Page 5 of 7 )
To gather users’ authentication information, LoginModule uses a javax.security.auth.callback.CallbackHandler. An application implements this interface and passes it to the LoginContext. The LoginContext then forwards it to the underlying LoginModules. So data gathering can be decoupled from authentication implementations. One part of the CallbackHandler implementation is the type of data used for validating the user. Below is the code for the CallbackHandler used by our application.
To implement CallbackHandler a single method has to be overridden- handle(). Let's see how its done.
Create a class that implements the CallbackHandler
class MyCallBackHandler implements CallbackHandler
{
…..
}
Then override the handle() method
if(callback[i] instanceof NameCallback)
{
NameCallback nc = (PasswordCallback)callbacks[i];
//do the needful to get the user name such as a login page or a terminal //based userid prompter
………
nc.setPassword(password.toCharArray());
}
if(callback[i] instanceof PasswordCallback)
{
PasswordCallback pc= (PasswordCallback)callbacks[i];
//do the needful to get the password such as a login page or a terminal //based password prompter. Just like the one done for user name.
………
pc.setPassword(password.toCharArray());
}
That’s all for the CallbackHandler.
3. Providing custom implementations for Principal and Action (this is optional)
This is an optional step. This step is useful for storing the user name and comparing it with a new login.
Just as in the pvious step, start by creating a class.
public class userPrincipal implements Principal, java.io.Serializable
{
…….
}
Since I am using this class to compare between two userPrincipals, I have done it in equals method.
public boolean equals(Object o)
{
if(o==null)
return false;
if(this==o)
return true;
if(!(o instanceof userPrincipal))
return false;
userPrincipal that=(userPrincipal)o;
if (this.getName().equals(that.getName()))
return true;
return false;
}
The code first checks for null object. Then it checks for equality of the object (not value). Once that is done, it assigns the object to an object of type userPrincipal and checks the equality of the value contained in it. The only method to be overridden is getName(). In our case it just returns the name contained in the passed uesrPrincipal object.
public String getName()
{
return userPrincipal.getName();
}
Next is the implementation for PrivilagedAction. By doing this we can control the access of the resource on the basis of permissions in real time.
Create a custom implementation by implementing the PrivilagedAction interface.
public class userAction implements PrivilagedAction
{
…..
}
Then override the run() method as shown below. Implementations can differ.
public Object run()
{
File f=new File(“tips.html”);
if(!f.exists())
<> System.out.println(“File does not exists in user directory”); <>//do other needful. In real environment the out put wouldn’t be given like above <> return null; <>}
Here we are just checking for the existence of the file. The exists() method returns true only if the file object has the required permissions. In this case it has permissions only in the user’s home directory.
Next: 4. Configure the JAAS policy file >>
More Java Articles
More By A.P.Rajshekhar
/ 26 
