com.sonicsw.security.pass.client
Interface ILogin

public interface ILogin

An implementation of Login SPI can be used to authenticate JMS client applications with one or many external security domains. The required interfaces for implementation of Login SPI are located under package com.sonicsw.security.pass.client.

To take the advantage of this functionality, users must implement following two interfaces:

com.sonicsw.security.pass.client.ILogin

com.sonicsw.security.pass.client.IPasswordUser

These interfaces are made available by Progress Software Corporation through which the users can plug-in a "custom" Login Module by implementing these interfaces. This login module can also be used to plug-in a JAAS based authentication functionality.

Before a JMS connection is created, the user can be authenticated with external authentication service - by a propriety or JAAS Login Module implementation.

How are the SPI implementations used by the Sonic runtime?

The Login SPI is used internally by SonicMQ JMS client runtime. When a JMS connection is requested via Topic or Queue Connection Factory, the Login SPI class is loaded into the application�s JVM.

A new instance of the class is created. On the created instance, SonicMQ runtime calls #getLoginSPI() method. This method returns an ILogin instance. This object is used for further authentication process.

Upon successful instantiation of the class, SonicMQ runtime passes the user name and the password to the underlying SPI implementation using following methods setUserName(String username) and setPassword(String password).

Then, SonicMQ runtime calls login() method on the underlying SPI implementation.If the login() method returns without an exception, the login to external security store or schema is assumed validated and user is considered authenticated.

Upon successful return from the login() method, the SonicMQ runtime calls getCredential() method to retrieve the user name and the transformed password via an implementation of IPasswordUser.

The user name, password and the transformed password are used to further establish a JMS connection.

The transformed password is used when the SonicMQ Broker is configured with an external Authentication Domain. This is a Delegation Mode of authentication process in which, the transformed password is transmitted across the wire to the SonicMQ broker. The broker authenticates the connecting client using the transformed password via a configured Authentication SPI.

Usage scenario:

Assume a user �testUser� with a password �testPassword�. If the Login SPI is used and the getCredential() method returned an instance of IPasswordUser which had user name as �testUser� and password in byte[]. Note that the client is unaware if the broker is configured with an external Authentication Domain. When connection is being established, if the broker finds that there is an internal user �testUser�, then it uses the password �testPassword� to authenticate the user (regular challenge and response). If the user �testUser� is not present in its security cache, then the user is considered an external user and broker requests the byte[] password from the client application. Once the client transmits and broker gets the byte[] password, it calls Authentication SPI�s authenticate method.

Login SPI and JAAS authentication

Theoretically, users can use the strength of JAAS to write their own Authentication and/or Authorization application. They can use it before creating a JMS connection through SonicMQ JMS client. A proper use will be � if a user is authenticated and/or authorized, then the user can create a JMS connection. This design however does not require any support from Progress Software Corporation.

However, if the user implements ILogin interface provided by Progress Software in their "Authentication and/or Authorization application", SonicMQ Client runtime will use it appropriately as mentioned in earlier section. Six basic pieces make a complete a Login SPI implementation that uses JAAS. They are

1. Interface made available by Progress Software that can be used to plug-in an authentication application or code.

2. Authentication application � implementation of the interface.

3. An implementation of javax.security.auth.callback.CallbackHandler (optional) to be used by the authentication application.

4. Implementation of javax.security.auth.spi.LoginModule.

5. An implementation of java.security.Principal interface to be used by javax.security.auth.spi.LoginModule.

6. Appropriate configuration (e.g. AnySimpleJAAS.config) file used by the JVM.

A user attempting to write and use JAAS based Login SPI will provide/write all the above pieces.

Configuration Login SPI can be plugged-in to the Sonic JMS client through ConnectionFactory. Below is an example of plugging-in/using a Login SPI implementation to a JMS client.

Assume that sonic.pass.loginspi.impl.BasicLogin is a class implementing the interface com.sonicsw.security.pass.client.ILogin. If factory is a TopicConnectionFactory, the Login SPI can be configured as

String m_loginSPIClassName = �sonic.pass.loginspi.impl.BasicLogin�;

((progress.message.jclient.ConnectionFactory)factory).setLoginSPI(m_loginSPIClassName);

The second way of configuring the Login SPI implementation is via JVM argument. Use -DSonicMQ.LOGIN_SPI=sonic.pass.loginspi.impl.BasicLogin as a JVM argument to configure a Login SPI implementation. However, a Login SPI configured via ConnectionFactory takes precedence.

See Also:

Field Summary

static java.lang.String

INTERFACE_NAME Name of this interface

Method Summary

IPasswordUser	getCredential() Called by SonicMQ runtime after the call to login() method returns successfully.
ILogin	getLoginSPI()
boolean	login() Called by the SonicMQ runtime after the information on user name and password has been made availabe to the class implemening this interface through setUserName and setPassword method.
void	logout() Called by SonicMQ runtime when a JMS connection is closed.
void	setPassword(java.lang.String password) Called by the SonicMQ runtime.
void	setUserName(java.lang.String username) Called by the SonicMQ runtime.

Field Detail

INTERFACE_NAME

static final java.lang.String INTERFACE_NAME

Name of this interface

See Also:

Constant Field Values

Method Detail

getCredential

IPasswordUser getCredential()

Called by SonicMQ runtime after the call to login() method returns successfully. This method is used to retrieve the username and password that is to be used in creating the JMS connection. The implementaion of this method may return the same user name and password that it received through setUserName and setPassword method. The impelemntation may return any modified user name and/or password that the implementaion wants to use for creating JMS connection. Any password transformation that needs to happen can be implemented by the SPI implementer and this method can be used to pass the modification to SonicMQ runtime.

getLoginSPI

ILogin getLoginSPI()

login

boolean login()

Called by the SonicMQ runtime after the information on user name and password has been made availabe to the class implemening this interface through setUserName and setPassword method. If call to this method returns returns without an exception, the login to external security store or schema is assumed validated and user is considered authenticated at the client side.

logout

void logout()

Called by SonicMQ runtime when a JMS connection is closed. Users can implement a cleanup or any miscelenious task in this method.

setPassword

void setPassword(java.lang.String password)

Called by the SonicMQ runtime. This method is used to pass the user's passsword used for creating the JMS connection to the class implementing this interface.

Parameters:

password - set by SonicMQ runtime

setUserName

void setUserName(java.lang.String username)

Called by the SonicMQ runtime. This method is used to pass the user name used for creating the JMS connection to the class implementing this interface.

Parameters:

username - set by SonicMQ runtime