4. Authentication

Now that you’ve configured everything, its time to set up authentication so you can actually let users into your server. The Pipeline authenticates users using the Java Authentication and Authorization Service (JAAS), which allows the server operator to authenticate usernames and passwords against any type of system that they want. When a user connects to the server, the Pipeline tries to create a new LoginContext and if the creation is successful, attempts to call the login() method. If true is returned, we allow the user to continue and otherwise the user is disconnected from the server with an “Authentication Failed” message.

In order for the Pipeline server to successfully create a LoginContext, we need one of the following jar files.

PassiveLoginModule This module turns off the authentication and accepts any user/password combination for logging in to the server. See the Authentication Quick Start for more information about this module.

PAMLoginModule This module authenticates users by using PAM.

SSHLocalLoginModule This module authenticates users with SSH credentials. Only those users will be granted access, who are able to SSH to current host.

Alternatively, you can write a little code in Java that handles the authentication scheme. This essentially boils down to 1) implementing the LoginModule interface, 2) packaging the class into a jar file, and 3) making sure its contents are available in the classpath of the server when you launch it. For steps 1 and 2, I will redirect you to the excellent documentation provided by Sun on how to complete those tasks.

Once you’ve got your jar file, you need to create a configuration file to reference the LoginModule inside your jar file. So fire up your favorite text editor and type the following:

/** Login Configuration for the Pipeline **/
PipelineLogin {
edu.ucla.loni.pipeline.security.LONILoginModule required debug=true;

In your configuration file, you should replace “edu.ucla.loni.pipeline.security.LONILoginModule” with the path to the LoginModule class you implemented. Now save the file out as pipeline_security.config into the same directory where you placed the Pipeline.jar file and start up the server.

$ java -Djava.security.auth.login.config=pipeline_security.config -classpath Pipeline.jar server.Main

As you can see, we’re setting the system property java.security.auth.login.config to pipeline_security.config, so when the Pipeline tries to create a LoginContext, JAAS will check this property for a filename, go into the file and read in the class name of the LoginModule specified. Using reflection, it’ll load the class and return it to the Pipeline.

4.1 Authentication Quickstart

If you don’t really care about protecting access to the Pipeline server and you just want to get a server running for testing or whatever other reason, we have a LoginModule that you can use, but with a big warning.

WARNING: Using this LoginModule will grant access to anybody who tries to connect to your Pipeline server. It won’t even check their username and password. It will just let them in, no questions asked. This is in no way secure and is a bad thing to do. If you use this module, it is at your own risk.

Now that you’ve been sternly lectured ; -) go ahead and download the jar file that contains the LoginModule class into the lib directory that you extracted out of the pipeline download. Next, download the configuration file and place that into the same directory as the Pipeline.jar file. If you care, you can download the source code of the PassiveLoginModule class too, but it’s not necessary.

Now let’s start the server using the new configuration file and LoginModule:

$ java -Djava.security.auth.login.config=pipeline_jaas.config -classpath lib/PassiveLoginModule.jar:Pipeline.jar server.Main

Previous: 3. Configuration Table of Contents Next: 5. Monitor and Manage