PAM Authentication
Warning: This works only in Linux (and other Unix Systems).
PAM Authentication in Java application gives a possibility to use native Linux (and other Unix Systems) features in Java application.
With PAM in Java a developer can use Linux to authenticate users in a Java application.
JPam project:
http://jpam.sourceforge.net/
Some more functionality was added in this implementation. It is possible to authenticate Linux users in a Java application, and get a list of groups for these users. It is possible to use this group for controlling permissions in JCR. In this case a system administrator can control user permissions in JCR by adding or removing them in a group.
For example:
root@somehost # groups user1
users dialout video
root@somehost # usermod -a -G admin user1
root@somehost # groups user1
admin users dialout video
Now
user1 is in a new
group admin. In the Java application a developer can get a list of groups for the current user and grant him or not permissions for performing particular actions.
The source code is here:
svn://svn.forge.objectweb.org/svnroot/exoplatform/projects/core/trunk/component/organization/pam.
This project includes Java and C code. For building both of them run the command:
mvn clean install antrun:run.
You can find Java and C libraries in the target folder.
If you like to test these tools see the scripts test-jpam.sh and test-jass.sh in the project root folder.
Warning: Check the classpath in the script before running it! And copy the file src/main/conf/exo-jpam to pam /etc/pam.d.
Maybe you need to edit the file exo-jpam, PAM configuration can be very different in Linux systems.
Furthermore you must be able to read the file /etc/shadow.
root@somehost $ ./test-jpam.sh _user_ _password_
02.09.2007 12:39:40 org.exoplatform.services.organization.auth.pam.Pam main
INFO: Response: Successful function return.
Configuration:
- Place the exo.core.component.organization.pam-X.X.X.jar into your classpath.
- Ensure that any libraries required to satisfy dependencies are also in the classpath.
- As an optional step, configure an appropriate logging level.
- Copy the native library libjpam.so to the Java Native Library Path.
- Copy src/main/conf/exo-jpam to the pam folder. In Linux this is /etc/pam.d. Configure it as you like.
- You must be able to read the file /etc/shadow.
- If you are going to use JAAS authentication put the file src/main/conf/jpam-jaas.config wherever you want, and remember to add -Djava.security.auth.login.config=path_to_jpam-jaas.config when running an application.
More about configuration PAM see in Linux man page.
The information about groups is kept within the class GroupPrincipal.
In an application the information about groups for a user can be reached in the following way:
Set<JAASGroup> gprincipals = loginContext.getSubject().getPrincipals(
JAASGroup.class);
if (gprincipals != null && gprincipals.size() != 0) {
out.println(">>> User is memebr of groups : ");
for (JAASGroup gp : gprincipals) {
out.print(gp.getName() + " : ");
Enumeration<GroupPrincipal> g = gp.members();
while (g.hasMoreElements()) {
out.print(g.nextElement().getName() + "; ");
}
out.println();
}
}
And about building the native code for systems other than Linux32. See src/main/c/makefile and edit pom.xml for your system.
A part of pom.xml.
<exec executable="make">
<arg value="--directory=src/main/c"/>
<arg value="libjpam.x86"/>
</exec>
