3 Replies Latest reply on Dec 8, 2010 8:56 AM by zenig.szimmerman.sunshineradiology.com

LdapIdentityStore and Security Authentication

zenig.szimmerman.sunshineradiology.com Dec 7, 2010 8:28 PM

I have implemented the LdapIdentityStore in my Seam application. When looking at the network traffic, I noticed that the username and password were being sent as plain text! After a lot of research on SPNEGO, Keberos, NTLM, JAAS, jCIFS and related topics, I came across SASL on this website: SASL. It seems that all I need to do is change:

env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");

on line 392 of org.jboss.seam.security.management.LdapIdentityStore to:

env.setProperty(Context.SECURITY_AUTHENTICATION, "GSSAPI");

If I do this, I presume the protocol negotiation will be Kerberos (in my environment). If so, why is the SECURITY_AUTHENTICATION property hard-coded to "simple"? Is there a reason?

Can I simply extend the LdapIdentityStore to include an additional variable for the security authentication (with getters/setters) and override the initialiseContext(String principal, String credentials) method to use the variable instead? Or should I copy the LdapIdentityStore and create my own IdentityStore?

Example:

private String securityAuthentication = "simple";

protected final InitialLdapContext initialiseContext(String principal, String credentials)
    throws NamingException {
    ....
    env.setProperty(Context.SECURITY_AUTHENTICATION, securityAuthentication);
    ....
}

// securityAuthentication getters/setters (example is set value to "GSSAPI")

Here is some environment details:

Seam 2.2.1CR

Glassfish 2.1.1

Windows 2003 Active Directory (Kerberos should work)

Is this the easiest way to have secure security authentication with Active Directory? I am still left confused by the abundant protocols and pseudo protocols available (listed above)!

Thank you.
Shawn

1. Re: LdapIdentityStore and Security Authentication

shane.bryzak Dec 7, 2010 11:16 PM (in response to zenig.szimmerman.sunshineradiology.com)

It would probably be easiest to extend LdapIdentityStore to override initialiseContext(). If you raise a feature request in JIRA, we may get it into the next Seam 2.x branch release, however in Seam 3 the LDAP functionality has now been delegated to PicketLink IDM.
Actions
2. Re: LdapIdentityStore and Security Authentication

zenig.szimmerman.sunshineradiology.com Dec 8, 2010 8:19 AM (in response to zenig.szimmerman.sunshineradiology.com)

I looked into extending LdapIdentityStore however the initialiseContext(String, String) method is final and can't be overridden! I suppose I'll have to create a new IdentityStore for this reason.

Thanks.
Actions
3. Re: LdapIdentityStore and Security Authentication

zenig.szimmerman.sunshineradiology.com Dec 8, 2010 8:56 AM (in response to zenig.szimmerman.sunshineradiology.com)

Created an issue: JIRA JBSEAM-4740
Actions

Go to original post