12 Replies Latest reply on Dec 12, 2010 11:15 AM by Robert Morse

    SSO and Seam Security

    Travis De Silva Newbie

      Hi,


      I just finished hacking a SSO solution using ntlm/jcifs (similar to what is outlined here)


      The biggest issue I have is that you need to activate a login method in seam (I activated identity.quietLogin()) The problem is that we don't get the password since we use NTLM HTTP Authentication.


      To solve this issue, I am tricking Seam by getting the bind DN and bind Credentials off the ldapIdentityStore, then doing the identity.quietLogin() and thereafter again setting the credentials.setUsername with the username obtained from NTLM. As you can see, this is not a very elegant way of doing it.


      For the moment this is ok but is there a more elegant way of doing this?


      Any pointers that you can direct me to get an understanding of the future seam security roadmap? I have checked the Jira project and I am  aware of JBSEAM-1032, JBSEAM-2890.


      There is talk about integrating with JBoss SSO, OpenSSO and a colleague of mine just pointed me to the JBossNegotiation project which provides SPNEGO support (I still need to do some more reading on this).


      Is there any vision kind of document on where seam security is going? I would like to get an understanding before deciding on any future course of action such as extending the seam classes etc.


      I notice that the forum has gone a bit silent on this subject for a while? Is there some glaring solution that I have missed?


      Travis

        • 1. Re: SSO and Seam Security
          Norman Richards Expert

          With the OpenID support, I've tried to make the security code SSO-friendly, meaning that all the functions you would need to implement an SSO login should be there.  Have you looked at the OpenID component?  I'll be more than happy to explain things, and of course, if we need some other functionality to make it work I can definitely add it because we would need it for our future SSO plans.


          • 2. Re: SSO and Seam Security
            David Honoré Newbie

            With Seam 2.0., what I call Enterpriser SSO (which mean never ask password in application an rely on third party application to provide authentication) is the hell to implement... I took one week to extend (understand 'rewrite') the Identity Component to support it, mainly because Seam 2.0 assume that if the password is not set, the user CAN't be authenticated ... (which if false).


            After a short look at Seam 2.1 I think this kind of authentication will be more easy by the replacement of password (String) ... by Credential (what you want supported by your authenticator).


            It is important to separate Identification (username ?) from autentification (is the user what it pretend to be) and authorization (which write a user have, provided by Jboss Rules (aka Drools)). The change between Seam 2.0 and 2.1 are a big step in this way.


            • 3. Re: SSO and Seam Security
              Norman Richards Expert

              With the current version of Seam it is easy to implement SSO, and you should not have to make any changes to Identity.  I was able to easily implement OpenID with it. My initial evaluations of possible SSO integration leads me believe that we are in a good position moving forward, but if we are lacking in anything then we definitely can improve that part of Seam.

              • 4. Re: SSO and Seam Security
                Travis De Silva Newbie

                Hi Norman,


                Thanks for your reply.


                OpenID is very interesting and looks good but is more suited for Internet (consumer) facing sites/systems right? What about enterprise/internal systems?


                For example, I work in a very large organization that uses Active Directory. One of the biggest issues currently our internal users have is that there are so many apps with so many different authentication credentials.


                Since I am introducing apps based on Seam to the organization, I want to enable SSO from day one. the ntlm/jcifs seem to be the only article/info out there with regard to SSO on seam.


                I am also confused/lack knowledge how the JBoss Negotiation project will impact seam. (we use the JBoss app server. So we are ok with a JBoss centric solution)


                Getting back to OpenId, if we are to implement SSO around it, we will need to first setup a openid provider such as OpenID-LDAP. This would be an unnecessary overhead right?


                Appreciate views from the community on how others maybe handling something like this. I am particularly interested in how to get seam to recognize that a user is authenticated from another source.

                • 5. Re: SSO and Seam Security
                  Travis De Silva Newbie

                  Hi David,


                  I am not sure how the shift to Credential in Seam 2.1 helps. Because within the Credential class, we will need to set the username/password. So aren't we back to square one? (unless of course I extend the identify class and implement my own..) I am trying to understand if there is a solution which can be implemented out of the box.



                  • 6. Re: SSO and Seam Security
                    David Honoré Newbie

                    I thinks it's possible to extends/overwrite Credential, and write your authenticator as it support it.


                    I think there is no more check for 'password' to be a not-empty String in the Identity component.

                    • 7. Re: SSO and Seam Security
                      Norman Richards Expert

                      Have you looked at the OpenID support to see how it is done there?

                      • 8. Re: SSO and Seam Security
                        Travis De Silva Newbie

                        Hi David,


                        Yes I can extend it but as mentioned wanted to know if there is an 'out of the box' solution in seam.


                        Hi Norman,


                        As mentioned to David, I was looking at an 'out of the box' solution before I decided to look deeper. Let me have a look at how OpenID does it. Maybe without really using OpenID, I can maybe pick on the concepts in there.


                        Thanks for both of you for your insights.


                         

                        • 9. Re: SSO and Seam Security
                          Norman Richards Expert

                          We plan to support more SSO options directly in the future, but the market is so fragmented that it's hard to know exactly which SSO solutions to target.  My goal in chosing OpenID first was to provide something that can be immediately useful to a lot of people and to make sure that we have all the support necessary for anyone to write an SSO integration component.  My hope is that people in the community who use a specific SSO solution would use that support to write integration components that could be shared with others and possibly integrated into Seam later.


                          I'm more than happy to provide support to anyone who is trying to do that.

                          • 10. Re: SSO and Seam Security
                            Travis De Silva Newbie

                            I agree with you 100%. I am just trying to get my head around what is the industry standard when it comes to SSO. Even within JBoss, you get so many different stuff going on. Federated SSO, JBossNegotiation project for SPNEGO support etc.


                            I guess my confusion is compounded by the fact that I may not know the difference of all these different projects and what each is trying to achieve. So on my part, I need to read up more on this.


                            I believe OpenID was a must have feature in Seam and great that you guys put that in. But OpenID is more for web consumer facing apps. (at least at this point in time). How can we leverage what is already widely used in the enterprise. Active directory might be a big part of what the enterprise use currently.(I am guessing!!) Then you have other commercial products like siteminder, netegrity etc. And we all in the seam community want more Seam adoption in the enterprise right!!


                            So what would be great is if Seam at a basic level provides functionality where a developer can code indicating that the app has been authenticated externally. For example, if I could set the username on the Credentials object and then set a flag on the Identity object indicating that authentication is ok, then that would meet the basic and I guess simple use case that most enterprise apps might want. If there are other use cases more advanced to this, then we can extend and implement it (as is the case now.)


                            For my use case, ideally what I would like to have is to configure SSO with active directory as a service on the JBoss app server and have my multiple Seam apps running on that app server be able to hook up with that service and everything works fine.


                            For example at present I can configure a JAAS service in the JBoss app server and then refer to that service in seam by configuring it in the components.xml descriptor file. But how does the SSO work in this case with a seam app. Maybe this is already there and I need to read up a bit more. Appreciate if there are any pointers in this regard.

                            • 11. Re: SSO and Seam Security
                              Ramkumar Pillai Newbie

                              any one please provide the link to integrate opendID SSO to SEAM web application.


                              thanks in Advance