3 Replies Latest reply on Dec 8, 2010 8:56 AM by Shawn Zimmerman

    LdapIdentityStore and Security Authentication

    Shawn Zimmerman Newbie

      I have implemented the LdapIdentityStore in my Seam application.  When looking at the network traffic, I noticed that the username and password were being sent as plain text!  After a lot of research on SPNEGO, Keberos, NTLM, JAAS, jCIFS and related topics, I came across SASL on this website: SASL.  It seems that all I need to do is change:

      env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");

      on line 392 of org.jboss.seam.security.management.LdapIdentityStore to:

      env.setProperty(Context.SECURITY_AUTHENTICATION, "GSSAPI");

      If I do this, I presume the protocol negotiation will be Kerberos (in my environment).  If so, why is the SECURITY_AUTHENTICATION property hard-coded to "simple"?  Is there a reason?

      Can I simply extend the LdapIdentityStore to include an additional variable for the security authentication (with getters/setters) and override the initialiseContext(String principal, String credentials) method to use the variable instead?  Or should I copy the LdapIdentityStore and create my own IdentityStore?


      private String securityAuthentication = "simple";
      protected final InitialLdapContext initialiseContext(String principal, String credentials)
          throws NamingException {
          env.setProperty(Context.SECURITY_AUTHENTICATION, securityAuthentication);
      // securityAuthentication getters/setters (example is set value to "GSSAPI")

      Here is some environment details:

      • Seam 2.2.1CR

      • Glassfish 2.1.1

      • Windows 2003 Active Directory (Kerberos should work)

      Is this the easiest way to have secure security authentication with Active Directory?  I am still left confused by the abundant protocols and pseudo protocols available (listed above)!

      Thank you.