Logo of 52°North

Exisiting Login Modules

This section describes the available LoginModules provided by 52°North. They are mainly used by by Web Authentication Service (WAS), Web Security Service (WSS), Authentication Service (AuthN), and Gatekeeper. Of course, they can also be deployed in any other application or web service that wants to make use of them. The specified initialization parameters describe key/value pairs conveyed to a LoginModule throught their initialize(...) method.

FileLoginModule

Description

Using the org.n52.security.authentication.loginmodule.FileLoginModule class, users and their attributes like name and address are stored in an XML file (schema). The login module authenticates users by checking the provided credentials against the corresponding information specified in this file.

Initialization Parameters

Parameter Default Description
users.file.path /users.xml Path relative to the application's classpath
users.cache false Specifies whether the user file will be reloaded on every login request
credential.isBase64Encoded false Defines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example.

Example <AuthenticationMethod> Element

<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.FileLoginModule" id="DefaultFileModule">
   <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
   <auth:ParameterList>
      <auth:Parameter name="users.file.path">file:///c:/users.xml</auth:Parameter>
      <auth:Parameter name="users.cache">false</auth:Parameter>
      <auth:Parameter name="credential.isBase64Encoded">true</auth:Parameter>
   </auth:ParameterList>
</auth:AuthenticationMethod>

DatabaseLoginModule

!!! Deprecated !!! This LoginModule is not supported in future version. It is quite plain and has some major drawbacks

The DatabaseLoginModule authenticates subjects by means of a JDBC database table. The table must be named Users and must consist of the following fields:

Name, EMail, Password FROM Users WHERE Username

Field Type Description
USERNAME String The unique user's login name
PASSWORD String unencrypted password
EMail String EMail address of the user, has no meaning in the security system
NAME String Intended to be the 'real name' of a user but interpreted as 'role'

Initialization Parameters

Parameter Default Description
db.driver.class /users.xml JDBC driver class to be used to connect to the database
db.url false JDBC connection URL
db.user false Database user who is privilegied to access the database
db.password false Database user's password
credential.isBase64Encoded false Defines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example.

Example <AuthenticationMethod> element

<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.DataBaseLoginModule" id="DefaultDatabaseModule">
   <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
   <auth:ParameterList>
      <auth:Parameter name="db.driver.class">sun.jdbc.odbc.JdbcOdbcDriver</auth:Parameter>
      <auth:Parameter name="db.url">jdbc:odbc:userDB</auth:Parameter>
      <auth:Parameter name="db.user">authnService</auth:Parameter>
      <auth:Parameter name="db.password">pzv3498n</auth:Parameter>
      <auth:Parameter name="credential.isBase64Encoded">true</auth:Parameter>
   </auth:ParameterList>
</auth:AuthenticationMethod>

SAML Ticket / WAS Login Module

Authenticates users by verifying a delivered Base64-ancoded SAML Response XML element. The module references a WAS instance (by its URL). The WAS URL, name, and accepted authentication methods are, for example, published in the WSS capabilities document. This login module must have access to a Java Keystore file () where the certificate to validate the signed SAML Response is stored.

Initialization Parameters

Parameter Default Description
was.url None URL of the WAS
was.name None Name of the WAS that allows humans to assign it to a certain service provider
was.version 1.1 Version of WAS protocol to be used
was.methods None Authentication method required to be applied by WAS. SAML tickets created by means of other methods will be rejected (not implemented, yet)
was.cert.keystore.path [classpath]/conf/pes/.keystore in contrast to default value, this is a URL pointing to the keystore file, e.g. file:///etc/.keystore
was.cert.keystore.password 52nwas Password, if required, to access the specified keystore
was.cert.alias was Alias of certificate under which it can be found in the specified keystore

Example ** <AuthenticationMethod> element

<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SAMLTicketLoginModule" id="WASModule">
   <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:wauthns</auth:URI>
   <auth:ParameterList>
      <auth:Parameter name="was.url">https://localhost:8443/was/WAS</auth:Parameter>
      <auth:Parameter name="was.name">Local WAS</auth:Parameter>
      <auth:Parameter name="was.version">1.1</auth:Parameter>
      <auth:Parameter name="was.methods">urn:opengeospatial:authNMethod:OWS:1.0:password</auth:Parameter>
      <auth:Parameter name="was.cert.keystore.path">file:///Tomcat/conf/.keystore</auth:Parameter>
      <auth:Parameter name="was.cert.keystore.password">changeit</auth:Parameter>
      <auth:Parameter name="was.cert.alias">tomcat</auth:Parameter>
   </auth:ParameterList>
</auth:AuthenticationMethod>

Session Login Module

With the SessionLoginModule it is possible to login in by providing a valid session ID. The session ID is usually issued by the instance that also uses this login module to validate the ID.

Initialization Parameters

Parameter Default Description
session.timeout None Number of seconds a session ID is valid. Login attempts after the expiration of a session will fail.

Example <AuthenticationMethod> element

<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SessionLoginModule" id="SessionModule">
   <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:session</auth:URI>
   <auth:ParameterList>
      <auth:Parameter name="session.timeout">6000</auth:Parameter>
   </auth:ParameterList>
</auth:AuthenticationMethod>