Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] [PATCH] Multi-factor authentication

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] [PATCH] Multi-factor authentication


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [Shib-Dev] [PATCH] Multi-factor authentication
  • Date: Mon, 18 Apr 2011 10:27:30 -0400



On 4/18/11 8:53 AM, Etienne Dysli wrote:
>
> Thanks for the clarification.
>
> In the meantime, I've found another possible explanation: the page
> http://download.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html
> (linked from
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)
> states (near the end) "If more than one login configuration file is
> specified, then the files are read and concatenated into a single
> configuration.".


Well, yes, however that only applies if you are using the 2nd config
approach, using entries in jre/lib/security/java.security of the form
login.config.url.n. However, I'm not sure whether that works in the IdP
- are you saying you have tried it? We always unconditionally set the
java.security.auth.login.config system property, so I'm not sure which
one wins out if both mechanisms are used, or whether it merges the
system property and those properties from java.security.

This is fine if it works. I think we have some language in the
UsernamePassword login handler docs that JAAS configuration may be done
via environment-specific means. For example, JBoss uses an XML
configuration file format that overrides what we do, so you have to use
that mechanism with the IdP.


> So config entry names should not be reused in other
> files (MultiFactorAuth does use the same default jaasConfigName as
> UsernamePasswordAuth). I've switched to another name and I can use both
> login handlers in the same IdP.
>


Yes, using distinct app names in the config and then specified via
servlet init params for each login handler is what we've recommended in
the past. As I recall from earlier in the thread, though, you just set
both of the login handlers to point to the same config file, correct?

--Brent





Archive powered by MHonArc 2.6.16.

Top of Page