Seam 2.1: using LdapIdentityStore with JpaIdentityStore
gonorrhea Mar 16, 2009 7:45 PMAccording to Yuan/Orshalick/Heute book (2nd ed.), it's possible to configure an LdapIdentityStore for user retrieval and a JpaIdentityStore for role retrieval.
code snippet from pg. 251:
<security:identity-manager identity-store="#{ldapIdentityStore}" role-identity-store="#{jpaIdentityStore}"/>
I've looked at the seamspace and rulesbooking examples. I've read the docs and this material and API is not trivial. Esp. when you start getting into drools for permissions management. Is drools really necessary in most use cases concerning security? Considering most apps will want to restrict pages based on role (not necessarily components and public methods).
We're trying to use Active Directory (i.e. LDAP) for authentication. Currently, we're using NTLM silent authentication (i.e. no form to input username/pswd and submit) with IE browsers. I'm interested in the role mgmt functionality via JpaIdentityStore and RDBMS tables for user self-service as far as adding users/roles, etc. We are using security groups in AD (managed by MS Outlook) for modifying/adding users to roles. I remember this UI admin functionality was achieved with the seamspace example however, this confuses me somewhat:
<security:ldap-identity-store name="ldapIdentityStore" server-address="localhost" bind-DN="cn=Manager,dc=bryzak,dc=com" bind-credentials="secret" user-DN-prefix="uid=" user-DN-suffix=",ou=Person,dc=bryzak,dc=com" role-DN-prefix="cn=" role-DN-suffix=",ou=Roles,dc=bryzak,dc=com" user-context-DN="ou=Person,dc=bryzak,dc=com" role-context-DN="ou=Roles,dc=bryzak,dc=com" user-role-attribute="roles" role-name-attribute="cn" user-object-classes="person,uidObject" />
How does this work exactly when running from my machine/network? I see the following in the log:
2009-03-16 11:01:37,934 INFO [org.jboss.seam.Component] Component: ldapIdentityStore, scope: APPLICATION, type: JAVA_BEAN, class: org.jboss.seam.security.management.LdapIdentityStore 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleDNPrefix=cn= 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.bindCredentials=secret 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userObjectClasses=person,uidObject 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.serverAddress=localhost 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.bindDN=cn=Manager,dc=bryzak,dc=com 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleNameAttribute=cn 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userDNSuffix=,ou=Person,dc=bryzak,dc=com 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleDNSuffix=,ou=Roles,dc=bryzak,dc=com 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userContextDN=ou=Person,dc=bryzak,dc=com 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleContextDN=ou=Roles,dc=bryzak,dc=com 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userRoleAttribute=roles 2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userDNPrefix=uid=
It also gets confusing when you have all these Seam annotations in one entity class:
@PermissionUser @PermissionRole @PermissionTarget @PermissionAction @PermissionDiscriminator