3 Replies Latest reply on Dec 8, 2010 8:56 AM by Shawn Zimmerman

    LdapIdentityStore and Security Authentication

    Shawn Zimmerman Newbie

      I have implemented the LdapIdentityStore in my Seam application.  When looking at the network traffic, I noticed that the username and password were being sent as plain text!  After a lot of research on SPNEGO, Keberos, NTLM, JAAS, jCIFS and related topics, I came across SASL on this website: SASL.  It seems that all I need to do is change:


      env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");



      on line 392 of org.jboss.seam.security.management.LdapIdentityStore to:


      env.setProperty(Context.SECURITY_AUTHENTICATION, "GSSAPI");



      If I do this, I presume the protocol negotiation will be Kerberos (in my environment).  If so, why is the SECURITY_AUTHENTICATION property hard-coded to "simple"?  Is there a reason?


      Can I simply extend the LdapIdentityStore to include an additional variable for the security authentication (with getters/setters) and override the initialiseContext(String principal, String credentials) method to use the variable instead?  Or should I copy the LdapIdentityStore and create my own IdentityStore?


      Example:


      private String securityAuthentication = "simple";
      
      protected final InitialLdapContext initialiseContext(String principal, String credentials)
          throws NamingException {
          ....
          env.setProperty(Context.SECURITY_AUTHENTICATION, securityAuthentication);
          ....
      }
      
      // securityAuthentication getters/setters (example is set value to "GSSAPI")



      Here is some environment details:



      • Seam 2.2.1CR

      • Glassfish 2.1.1

      • Windows 2003 Active Directory (Kerberos should work)



      Is this the easiest way to have secure security authentication with Active Directory?  I am still left confused by the abundant protocols and pseudo protocols available (listed above)!


      Thank you.
      Shawn