Expand my Community achievements bar.

SOLVED

By pass AEM login screen

Avatar

Level 1

Hi,

I am doing a POC where I want to bypass the Aem login screen. I have deployed AEM 6.0 on tomcat and configured  in house authentication (Kerberos ) in tomcat. When I start the tomcat and access the application, it shown the in house login screen. Once the authentication is successful, it is showing AEM login screen. As per my requirement I don't want to show AEM login screen and user should see welcome screen when the login is suucessful from in house login screen. Do I need to create any custom logic to by pass the AEM login screen?

1 Accepted Solution

Avatar

Correct answer by
Employee

The kerberos token needs to be validated and then only the user would be allowed. you can use http://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html and create an externalloginmodule for this. Then you can also try to leverage http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5Log... for this. After authentication of the kerberos token, the user can be syncd to the system also.

View solution in original post

5 Replies

Avatar

Correct answer by
Employee

The kerberos token needs to be validated and then only the user would be allowed. you can use http://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html and create an externalloginmodule for this. Then you can also try to leverage http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5Log... for this. After authentication of the kerberos token, the user can be syncd to the system also.

Avatar

Level 2

Hi Kalyan,

As per my understanding need to create a custom class which implements externalidentityprovider and override the authenticate method and this identify provider should be configured in apache Jackrabbit Oak external login module right?

Do you have any sample logic?

Avatar

Level 10

Yes! thats correct..

will post you some sample logic if I get any or I will try to do it myself

Avatar

Level 2

Than you. I am planning to create an user (userid which can be validated by kerberos authentication system) with dummy password in AEM. And then  i will login with that userid and kerberos password from kerberos(in house system) login form. Once credentials are validated successfully and creates kerberos token and passes the control to AEM. If we write a custom identity provider which implements externalidentityprovider , then control will come to the custom identity provider authenticate() method? Custom identity provider should execute the logic and should display AEM welcome screen without the AEM login form. As the user is already part of the system with dummy password, can see the icons for which he is authorized in welcome screen. kerberos password is for initial login.

 @Override
    public ExternalUser authenticate(Credentials credentials)  {
   // what should we return here?
    }

Avatar

Employee

 http://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html This link talks about how LDAP is plugged in. They have written an LDAPIdentityProvider http://grepcode.com/file/repo1.maven.org/maven2/org.apache.jackrabbit/oak-auth-ldap/0.17.1/org/apach... and plugged it in AEM using the ExternalLoginModule. Does this help?