11 Replies Latest reply on Apr 26, 2008 12:56 AM by matteg.gerry.matte.shaw.ca

    JAAS LDAP Authentication ignores authenticate-method

    matteg.gerry.matte.shaw.ca

      I have a SEAM application that was orginally configured to use simple authentication exactly as depicted in Chapter 13 of the SEAM 2.0.1.GA manual.  I am trying now to make use of the container authentication that I use for my other webapps.


      When my components.xml file contains:


      <security:identity security-rules="#{securityRules}" authenticate-method="#{authenticator.authenticate}" remember-me="true"
         />



      my custom authenticor's authenticate method is invoked as expected.





      However, if I attempt to use my JBoss JAAS security domain IntranetLDAP:



      <security:identity security-rules="#{securityRules}" authenticate-method="#{authenticator.authenticate}" remember-me="true"
      jaas-config-name="IntranetLDAP"  
         /> 




      the authenticator.authenticate method is never called.  However, identity is created and loaded with the correct roles as specified in my LDAP server. 



      The Advanced Authentication example in the manuals section 13.4.8 is very similar to my malfunctioning code.  In both cases I have additional properties security-rules and remember-me when compared to the example code but that should not matter.




      My problem is that I have been using authenticator.authenticate to instantiate a custom session object that I wish to initialise at the time authentication occurs.



      Can someone confirm that authenticator.authenticate will not work for container managed authentication ?



      Any ideas for how I might alternately perform my initialisation at login time ?

        • 1. Re: JAAS LDAP Authentication ignores authenticate-method
          keithnaas

          Just to cover all of the bases:


          When you say container managed authentication does that mean that you are using JEE deployment descriptors to provide security-constraints, security-roles, and login-config?  Or does that just mean that you are tying seam to your container's jaas config?


          What is the java code for the authenticator component? 




          Any ideas for how I might alternately perform my initialisation at login time ?

          Security Events

          • 2. Re: JAAS LDAP Authentication ignores authenticate-method
            matteg.gerry.matte.shaw.ca

            Hi Keith.


            Prior to using SEAM, I configured JBoss to use our LDAP server for authentication and authorisation using JAAS and the JBoss LdapExtLoginModule to insert a new JAAS application policy in [JBOSS_HOME]/server/default/config/login-config.xml.


            This IntranetLDAP security is referenced in the usual way with my jsp webapps with entries in jboss-web.xml and web.xml to apply role based security to my jsp pages and other protected resources.  That all works and is incorporated in multiple webapps that are not SEAM based.


            I could supply more detail about my container JASS authentication but hopefully this is enough to answer your query.  If not please say so.


            The java code for the authenticator.authenticate method is a bit long because it executes hibernate queries to instantiate a number of objects and bind them into a session object.  The reason I know that the authenticate method isn't invoked with my LDAP security domain is that a log message is executed as the first line of code in the method.  It appears when I don't use my containers LDAP JAAS domain and never appears when I do use it.


            Thanks for the idea of using security events.  I had already flagged that as a rather cumbersome way to get around the fact that my formerly debugged code is suddenly being ignored.  I'm thinking I'll intercept the postAuthenticate event if I have to use this approach.

            • 3. Re: JAAS LDAP Authentication ignores authenticate-method
              matteg.gerry.matte.shaw.ca

              I have concluded that the authenticate-method is never executed when I use a JAAS-config-name parameter on the security:identity tag in components.xml.


              The most elegant work around that enables my application to still execute that method is to also add an event listener triggered by the postAuthenticate event and dispatch to the same authenticate-method.


              My working application now contains the following code in components.xml:



                 <security:identity security-rules="#{securityRules}" remember-me="true" jaas-config-name="IntranetLDAP" />




                 <event type="org.jboss.seam.security.postAuthenticate">




                     <action execute="#{authenticator.authenticate}"/>





                 </event>


              Until such time as SEAM is patched to properly call the authenticate-method when using JAAS, adding the above event listener code is the easiest workaround to keep your application working after you switch to JAAS.


              Thanks to Keith for suggesting this approach and also to Mathew Demerath for sending me some working code !

              • 4. Re: JAAS LDAP Authentication ignores authenticate-method
                shane.bryzak

                Seam will never call the authenticate method if an alternative JAAS configuration is specified.  The event observer method is the correct approach to use.

                • 5. Re: JAAS LDAP Authentication ignores authenticate-method
                  matteg.gerry.matte.shaw.ca

                  The above solution to use JAAS LDAP authentication seems to require at least version 2.0.1.GA of SEAM if you wish to use an authenticate-method. 


                  While implementing this approach on another development machine, I discovered that the approach of intercepting the postAuthenticate security event does not work with SEAM version 2.0.0.


                  Although that level of SEAM properly authenticated users against our LDAP server, the PostAuthenticate event failed to callback the event's action ( authenticator.authenticate in the example above)  .

                  • 6. Re: JAAS LDAP Authentication ignores authenticate-method
                    aymenhouissa

                    Hi,
                    I like to make a authentication using LDAP, i'am facing some problems for making it run.
                    Would you like please guiding me in this configuration.
                    any help will be greatly appreciated !!

                    • 7. Re: JAAS LDAP Authentication ignores authenticate-method
                      matteg.gerry.matte.shaw.ca

                      If you already have LDAP working for JSP pages with JBoss 4.2, I can try to help make it work with SEAM.  If you don't have that working, I'm not able to spend the time needed to learn your environment and make LDAP work first for JBoss JAAS.


                      If you do have JBoss working for JSP pages, tell me what your problem is and I'll give it a few tries anyway.

                      • 8. Re: JAAS LDAP Authentication ignores authenticate-method
                        aymenhouissa

                        Hi,
                        I made the authentication to LDAP using JSP as you told me, please tell me now how to proceed to make it work within Seam
                        (i'm using Seam 2.1 and my app is generated by seam-gen)
                        thanks

                        • 9. Re: JAAS LDAP Authentication ignores authenticate-method
                          matteg.gerry.matte.shaw.ca

                          Ok.  If you already have JBoss working with a JAAS LDAP server, then you will have defined the required application policy in your Jboss login-config.xml.  Mine is shown below but yours will differ of course depending on how your LDAP directory tree is constructed.


                              <application-policy name="IntranetLDAP">
                                <authentication>
                                <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                                    <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                                     <module-option name="java.naming.provider.url">ldap://IntranetLDAPserver:389/</module-option>
                                     <module-option name="java.naming.security.authentication">simple</module-option>
                                     <module-option name="bindDN"></module-option>
                                     <module-option name="bindCredential"></module-option>
                                        <module-option name="baseCtxDN">ou=People,o=SAANICH</module-option>
                                        <module-option name="baseFilter">(cn={0})</module-option>
                                     <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,o=SAANICH</module-option>
                                     <module-option name="roleFilter">(member={1})</module-option>
                                     <module-option name="uidAttributeID">member</module-option>
                                     <module-option name="roleAttributeID">cn</module-option>
                                     <module-option name="roleNameAttributeID">cn</module-option>
                                        <module-option name="roleAttributeIsDN">true</module-option>
                                        <module-option name="allowEmptyPasswords">false</module-option>
                                </login-module>
                                </authentication>
                              </application-policy>


                          Knowing from the first line that the name of my JAAS LDAP security policy is IntranetLDAP, locate your seam applications components.xml and insert the code from my March 20 posting above:
                          <security:identity security-rules="#{securityRules}" remember-me="true" jaas-config-name="IntranetLDAP" />
                          <event type="org.jboss.seam.security.postAuthenticate">
                          <action execute="#{authenticator.authenticate}"/>
                          </event>
                          replacing the seam-gen <security:identity .... tag.


                          That's it.  You will now have your seam application authenticating using your ldap server. 


                          Authorisation (using roles) will of course require that you have appropriate groups defined in your LDAP directory.  As before, use JBoss and JSP to ensure that you are able to verify that the roles are accessible to the JBoss JAAS domain.

                          • 10. Re: JAAS LDAP Authentication ignores authenticate-method
                            aymenhouissa

                            Thanks,
                            it works fine, now i would like to configure my application policy directly in my web application(not in my Jboss login-config.xml), like creating inputs that receive all these parameters.
                            help please

                            • 11. Re: JAAS LDAP Authentication ignores authenticate-method
                              matteg.gerry.matte.shaw.ca

                              I can't think why one might want to ignore the container security and instead embed it within a web application. 


                              However, if that's what you want look again at the forum posting Configuring SEAM with OpenLDAP for an example.