JBoss.org Community Documentation
The DatabaseServerLoginModule
is a JDBC based login module that supports authentication and role mapping. You would use this login module if you have your username, password and role information relational database. The DatabaseServerLoginModule
is based on two logical tables:
Table Principals(PrincipalID text, Password text) Table Roles(PrincipalID text, Role text, RoleGroup text)
The Principals
table associates the user PrincipalID
with the valid password and the Roles
table associates the user PrincipalID
with its role sets. The roles used for user permissions must be contained in rows with a RoleGroup
column value of Roles
. The tables are logical in that you can specify the SQL query that the login module uses. All that is required is that the java.sql.ResultSet
has the same logical structure as the Principals
and Roles
tables described previously. The actual names of the tables and columns are not relevant as the results are accessed based on the column index. To clarify this notion, consider a database with two tables, Principals
and Roles
, as already declared. The following statements build the tables to contain a PrincipalID
java
with a Password
of echoman
in the Principals
table, a PrincipalID
java
with a role named Echo
in the Roles
RoleGroup
in the Roles
table, and a PrincipalID
java
with a role named caller_java
in the CallerPrincipal
RoleGroup
in the Roles
table:
INSERT INTO Principals VALUES('java', 'echoman') INSERT INTO Roles VALUES('java', 'Echo', 'Roles') INSERT INTO Roles VALUES('java', 'caller_java', 'CallerPrincipal')
The supported login module configuration options include the following:
dsJndiName
: The JNDI name for the DataSource
of the database containing the logical Principals
and Roles
tables. If not specified this defaults to java:/DefaultDS
.
principalsQuery
: The prepared statement query equivalent to: select Password from Principals where PrincipalID=?
. If not specified this is the exact prepared statement that will be used.
rolesQuery
: The prepared statement query equivalent to: select Role, RoleGroup from Roles where PrincipalID=?
. If not specified this is the exact prepared statement that will be used.
ignorePasswordCase : A boolean flag indicating if the password comparison should ignore case. This can be useful for hashed password encoding where the case of the hashed password is not significant.
principalClass
: An option that specifies a Principal
implementation class. This must support a constructor taking a string argument for the principal name.
As an example DatabaseServerLoginModule
configuration, consider a custom table schema like the following:
CREATE TABLE Users(username VARCHAR(64) PRIMARY KEY, passwd VARCHAR(64)) CREATE TABLE UserRoles(username VARCHAR(64), userRoles VARCHAR(32))
A corresponding login-config.xml
entry would be:
<policy> <application-policy name="testDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MyDatabaseDS</module-option> <module-option name="principalsQuery"> select passwd from Users username where username=?</module-option> <module-option name="rolesQuery"> select userRoles, 'Roles' from UserRoles where username=?</module-option> </login-module> </authentication> </application-policy> </policy>
This module supports password stacking, password hashing and unathenticated identity.