Seam with ldap active directory and roles
squeaky Nov 9, 2011 12:10 PMHi,
I'm working on a seam 2.2.2 final app on jboss 5.1 that is trying to authenticate with AD. I eventually got authentication to work by making a custom identity store as suggested here: http://seamframework.org/Community/LdapIdentityStoreAndActiveDirectory which is great. What I need to do now is get access to the groups that the authenticated user is a member of for authorization purposes. Here's what I have so far:
components.xml:
<security:identity-manager name="identityManager" identity-store="#{customLdapIdentityStore}" > </security:identity-manager> <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/> <security:remember-me mode="autoLogin"/> <event type="org.jboss.seam.security.postAuthenticate"> <action execute="#{authenticator.postAuthenticate}"/> </event>
Authenticator.java:
@Name("authenticator") public class Authenticator { @Logger private Log log; @In Identity identity; @In Credentials credentials; @In IdentityManager identityManager; public void postAuthenticate() { log.info("postauthenticating {0}", credentials.getUsername()); try { log.debug("roles => " + identityManager.getImpliedRoles(identity.getCredentials().getUsername())); }catch (Exception e){ log.info("Authentication error: ", e.getCause()); } } @SuppressWarnings("deprecation") public boolean authenticate() { log.info("authenticating {0}", credentials.getUsername()); try { //authenticate identityManager.authenticate(identity.getUsername(),identity.getPassword()); //add a user to the context so it can be displayed User u = new User(); u.setPassword(identity.getPassword()); u.setUsername(identity.getUsername()); Contexts.getSessionContext().set("authenticatedUser", u); return true; }catch (Exception e){ log.info("Authentication error: ", e.getCause()); return false; } } }
The idea here is I go look for membership in a specific group to determine if their access level, which I can then store in the session for lookup on the various pages of the app.
CustomLdapIdentityStore.java:
@Name("customLdapIdentityStore") @Startup @AutoCreate @Scope(ScopeType.APPLICATION) public class CustomLdapIdentityStore extends org.jboss.seam.security.management.LdapIdentityStore{ private static final long serialVersionUID = -1250675501823301128L; @PostConstruct public void init() { setServerAddress("server.company.ca"); setServerPort(389); setBindDN("cn=admin_account,dc=company,dc=ca"); setBindCredentials("password"); setUserContextDN("ou=DEPARTMENT,ou=CITY,ou=CANADA,dc=company,dc=ca"); setUserDNPrefix(""); setUserDNSuffix("company.ca"); setUserObjectClasses(new String[]{"person","user","organizationalPerson"}); setUserNameAttribute("sAMAccountName"); setUserRoleAttribute("memberOf"); setRoleNameAttribute("distinguishedName"); setRoleAttributeIsDN(false); setRoleContextDN("ou=COMPANY groups,dc=company,dc=ca"); setRoleDNPrefix("distinguishedName="); setRoleDNSuffix(",ou=Company groups,dc=company,dc=ca"); setRoleObjectClass(new String[]{"group"}); setRoleNameAttribute("member"); } @Override protected String getUserDN(String username) { return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix()); } }
And the error I'm getting from the catch in postAuthenticate:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Which I know is a user not found error, but I can't figure out why. I suspect that I'm not understanding how to set the role stuff correctly. Can anyone shed some light on what I'm doing wrong?