Logo of 52°North

Exisiting Login Modules

This section describes the available LoginModules provided by 52°North. They are mainly used by by Web Authentication Service (WAS), Web Security Service (WSS), Authentication Service (AuthN), and Gatekeeper. Of course, they can also be deployed in any other application or web service that wants to make use of them. The specified initialization parameters describe key/value pairs conveyed to a LoginModule throught their initialize(...) method.

FileLoginModule

Description

Using the org.n52.security.authentication.loginmodule.FileLoginModule class, users and their attributes like name and address are stored in an XML file (schema). The login module authenticates users by checking the provided credentials against the corresponding information specified in this file.

Initialization Parameters

ParameterDefaultDescription
users.file.path/users.xmlPath relative to the application's classpath
users.cachefalseSpecifies whether the user file will be reloaded on every login request
credential.isBase64EncodedfalseDefines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example.

Example <LoginModule> element of a security-config.xml file 

<LoginModule class="org.n52.security.authentication.loginmodule.FileLoginModule" controlFlag="SUFFICIENT">
   <Property name="users.file.path" value="/myusers.xml"/>        
   <Property name="users.cache" value="true"/>        
   <Property name="credential.isBase64Encoded" value="true"/>        
</LoginModule>

Example users file

<?xml version="1.0" encoding="UTF-8"?>
<UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/users http://52north.org/schema/users/1.0/users.xsd">
  <User  username="alice" password="alice" realname="Alice">
        <Role name="alice"/>
        <Role name="admin"/>
  </User>
  <User  username="bob" password="bob" realname="Bob">
        <Role name="bob"/>
        <Role name="main"/>
  </User>
  <User  username="guest" password="guest" realname="Guest">
        <Role name="guest"/>
  </User>
</UserRepository>

DatabaseLoginModule

!!! Deprecated !!! This LoginModule is not supported in future version. It is quite plain and has some major drawbacks

The DatabaseLoginModule authenticates subjects by means of a JDBC database table. The table must be named Users and must consist of the following fields:

Name, EMail, Password FROM Users WHERE Username

FieldTypeDescription
USERNAMEStringThe unique user's login name
PASSWORDStringunencrypted password
EMailStringEMail address of the user, has no meaning in the security system
NAMEStringIntended to be the 'real name' of a user but interpreted as 'role'

Initialization Parameters

ParameterDefaultDescription
db.driver.class/users.xmlJDBC driver class to be used to connect to the database
db.urlfalseJDBC connection URL
db.userfalseDatabase user who is privilegied to access the database
db.passwordfalseDatabase user's password
credential.isBase64EncodedfalseDefines if the credentials that are provided by the client application, are Base64-encoded and thus have to be Base64-decoded. This is the case if the WAS protocol is used, for example.

Example <LoginModule> element of a security-config.xml file 

<LoginModule class="org.n52.security.authentication.loginmodule.DataBaseLoginModule" controlFlag="SUFFICIENT">
   <Property name="db.driver.class" value="sun.jdbc.odbc.JdbcOdbcDriver"/>        
   <Property name="db.url" value="jdbc:odbc:userDB"/>        
   <Property name="db.user" value="authnService"/>        
   <Property name="db.password" value="pzv3498n"/>        
   <Property name="credential.isBase64Encoded" value="true"/>        
</LoginModule>

SAML Ticket / WAS Login Module

Authenticates users by verifying a delivered Base64-ancoded SAML Response XML element. The module references a WAS instance (by its URL). The WAS URL, name, and accepted authentication methods are, for example, published in the WSS capabilities document. This login module must have access to a Java Keystore file () where the certificate to validate the signed SAML Response is stored.

Initialization Parameters

ParameterDefaultDescription
validationKeyPairNoneA key pair instance that contains the certificate to validate the SAML ticket.
noValidationfalseSet to true if the ticket should not be validated with the certificate.
SAMLRoleAttributeNoneID of the SAML Attribute Assertion that contains the user roles.

Example <LoginModule> element of a security-config.xml file 

<LoginModule class="org.n52.security.authentication.loginmodule.SAMLTicketLoginModule" controlFlag="SUFFICIENT">
   <!-- Reference to PrivatePublicKeyPair defined above -->
   <Property name="validationKeyPair" idRef="defaultKeyPair"/>
   <Property name="noValidation" value="false"/>
   <Property name="SAMLRoleAttributeName" value="urn:n52:authentication:subject:principal:role"/>
</LoginModule>

SingleUserLoginModule

Authenticates user by comparing a defined username and password.

Intended for testing purposes!!!

Initialization Parameters

ParameterDefaultDescription
allowedUsername""Defines the username accepted by this login module.
allowedPassword""Defines the password that must be presented together with the username defined above to successfully authenticate the user.
pwdEncAlgplainDefines the encryption of the defined password above; one of plain, md5, or sha.
userRoles""List of roles that will be assigned to the deifned user; roles are separated by the ' u007C' symbol.

Example <LoginModule> element of a security-config.xml file 

<LoginModule class="org.n52.security.authentication.loginmodule.SingleUserLoginModule" controlFlag="SUFFICIENT">
   <Property name="allowedUsername" value="test"/>
   <Property name="allowedPassword" value="testpw"/>
   <Property name="pwdEncAlg" value="plain"/>
   <Property name="userRoles" value="Alice|admin"/>
</LoginModule>