Exisiting Login Modules
This section describes the available LoginModules provided by 52North. They are mainly used by by Web Authentication Service (WAS), Web Security Service (WSS), Authentication Service (AuthN), and Gatekeeper. Of course, they can also be deployed in any other application or web service that wants to make use of them. The specified initialization parameters describe key/value pairs conveyed to a LoginModule throught their initialize(...) method.
FileLoginModule
Description
Using the org.n52.security.authentication.loginmodule.FileLoginModule class, users and their attributes like name and address are stored in an XML file (schema). The login module authenticates users by checking the provided credentials against the corresponding information specified in this file.
Initialization Parameters
| Parameter | Default | Description |
| users.file.path | /users.xml | Path relative to the application's classpath |
| users.cache | false | Specifies whether the user file will be reloaded on every login request |
| credential.isBase64Encoded | false | Defines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example. |
Example <AuthenticationMethod> Element
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.FileLoginModule" id="DefaultFileModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
<auth:ParameterList>
<auth:Parameter name="users.file.path">file:///c:/users.xml</auth:Parameter>
<auth:Parameter name="users.cache">false</auth:Parameter>
<auth:Parameter name="credential.isBase64Encoded">true</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
DatabaseLoginModule
!!! Deprecated !!! This LoginModule is not supported in future version. It is quite plain and has some major drawbacks
The DatabaseLoginModule authenticates subjects by means of a JDBC database table. The table must be named Users and must consist of the following fields:
Name, EMail, Password FROM Users WHERE Username
| Field | Type | Description |
| USERNAME | String | The unique user's login name |
| PASSWORD | String | unencrypted password |
| String | EMail address of the user, has no meaning in the security system | |
| NAME | String | Intended to be the 'real name' of a user but interpreted as 'role' |
Initialization Parameters
| Parameter | Default | Description |
| db.driver.class | /users.xml | JDBC driver class to be used to connect to the database |
| db.url | false | JDBC connection URL |
| db.user | false | Database user who is privilegied to access the database |
| db.password | false | Database user's password |
| credential.isBase64Encoded | false | Defines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example. |
Example <AuthenticationMethod> element
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.DataBaseLoginModule" id="DefaultDatabaseModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
<auth:ParameterList>
<auth:Parameter name="db.driver.class">sun.jdbc.odbc.JdbcOdbcDriver</auth:Parameter>
<auth:Parameter name="db.url">jdbc:odbc:userDB</auth:Parameter>
<auth:Parameter name="db.user">authnService</auth:Parameter>
<auth:Parameter name="db.password">pzv3498n</auth:Parameter>
<auth:Parameter name="credential.isBase64Encoded">true</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
SAML Ticket / WAS Login Module
Authenticates users by verifying a delivered Base64-ancoded SAML Response XML element. The module references a WAS instance (by its URL). The WAS URL, name, and accepted authentication methods are, for example, published in the WSS capabilities document. This login module must have access to a Java Keystore file () where the certificate to validate the signed SAML Response is stored.
Initialization Parameters
| Parameter | Default | Description |
| was.url | None | URL of the WAS |
| was.name | None | Name of the WAS that allows humans to assign it to a certain service provider |
| was.version | 1.1 | Version of WAS protocol to be used |
| was.methods | None | Authentication method required to be applied by WAS. SAML tickets created by means of other methods will be rejected (not implemented, yet) |
| was.cert.keystore.path | [classpath]/conf/pes/.keystore | in contrast to default value, this is a URL pointing to the keystore file, e.g. file:///etc/.keystore |
| was.cert.keystore.password | 52nwas | Password, if required, to access the specified keystore |
| was.cert.alias | was | Alias of certificate under which it can be found in the specified keystore |
Example ** <AuthenticationMethod> element
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SAMLTicketLoginModule" id="WASModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:wauthns</auth:URI>
<auth:ParameterList>
<auth:Parameter name="was.url">https://localhost:8443/was/WAS</auth:Parameter>
<auth:Parameter name="was.name">Local WAS</auth:Parameter>
<auth:Parameter name="was.version">1.1</auth:Parameter>
<auth:Parameter name="was.methods">urn:opengeospatial:authNMethod:OWS:1.0:password</auth:Parameter>
<auth:Parameter name="was.cert.keystore.path">file:///Tomcat/conf/.keystore</auth:Parameter>
<auth:Parameter name="was.cert.keystore.password">changeit</auth:Parameter>
<auth:Parameter name="was.cert.alias">tomcat</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
Session Login Module
With the SessionLoginModule it is possible to login in by providing a valid session ID. The session ID is usually issued by the instance that also uses this login module to validate the ID.
Initialization Parameters
| Parameter | Default | Description |
| session.timeout | None | Number of seconds a session ID is valid. Login attempts after the expiration of a session will fail. |
Example <AuthenticationMethod> element
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SessionLoginModule" id="SessionModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:session</auth:URI>
<auth:ParameterList>
<auth:Parameter name="session.timeout">6000</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
