0 Replies Latest reply on Nov 9, 2011 12:10 PM by Craig Skelton

    Seam with ldap active directory and roles

    Craig Skelton Newbie

      Hi,


      I'm working on a seam 2.2.2 final app on jboss 5.1 that is trying to authenticate with AD. I eventually got authentication to work by making a custom identity store as suggested here: http://seamframework.org/Community/LdapIdentityStoreAndActiveDirectory which is great. What I need to do now is get access to the groups that the authenticated user is a member of for authorization purposes. Here's what I have so far:


      components.xml:


      <security:identity-manager name="identityManager" 
        identity-store="#{customLdapIdentityStore}" >
      </security:identity-manager>
      
      <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/> 
      
      <security:remember-me mode="autoLogin"/> 
      
      <event type="org.jboss.seam.security.postAuthenticate"> 
        <action execute="#{authenticator.postAuthenticate}"/> 
      </event>



      Authenticator.java:


      @Name("authenticator")
      public class Authenticator
      {
          @Logger private Log log;
      
          @In Identity identity;
          @In Credentials credentials;
          @In IdentityManager identityManager;
      
          public void postAuthenticate()
          {
               log.info("postauthenticating {0}", credentials.getUsername());
              
              try {
                   log.debug("roles => " + identityManager.getImpliedRoles(identity.getCredentials().getUsername()));
                   
              }catch (Exception e){
                   log.info("Authentication error: ", e.getCause());
           }
          }
          
          
          @SuppressWarnings("deprecation")
           public boolean authenticate()
          {
              log.info("authenticating {0}", credentials.getUsername());
              
              try {
                   //authenticate
                   identityManager.authenticate(identity.getUsername(),identity.getPassword());
      
                   //add a user to the context so it can be displayed
                   User u = new User();
                   u.setPassword(identity.getPassword());
                   u.setUsername(identity.getUsername());
      
                   Contexts.getSessionContext().set("authenticatedUser", u);
      
                return true;
              }catch (Exception e){
                   log.info("Authentication error: ", e.getCause());
                     return false;
                }
          }
      }



      The idea here is I go look for membership in a specific group to determine if their access level, which I can then store in the session for lookup on the various pages of the app.


      CustomLdapIdentityStore.java:


      @Name("customLdapIdentityStore")
      @Startup
      @AutoCreate
      @Scope(ScopeType.APPLICATION)
      public class CustomLdapIdentityStore extends org.jboss.seam.security.management.LdapIdentityStore{
           
           private static final long serialVersionUID = -1250675501823301128L;
      
           @PostConstruct
           public void init()     {
               setServerAddress("server.company.ca");
               setServerPort(389);
               setBindDN("cn=admin_account,dc=company,dc=ca");
               setBindCredentials("password");
               
               setUserContextDN("ou=DEPARTMENT,ou=CITY,ou=CANADA,dc=company,dc=ca");
               setUserDNPrefix("");
               setUserDNSuffix("company.ca");
               setUserObjectClasses(new String[]{"person","user","organizationalPerson"});
               setUserNameAttribute("sAMAccountName");
               
               setUserRoleAttribute("memberOf");
               setRoleNameAttribute("distinguishedName");
               setRoleAttributeIsDN(false);
               
               setRoleContextDN("ou=COMPANY groups,dc=company,dc=ca");
               setRoleDNPrefix("distinguishedName=");
               setRoleDNSuffix(",ou=Company groups,dc=company,dc=ca");
               setRoleObjectClass(new String[]{"group"});
               setRoleNameAttribute("member");
           }
           
           @Override
           protected String getUserDN(String username)
           {
                return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix());
           }
      }



      And the error I'm getting from the catch in postAuthenticate:


      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece



      Which I know is a user not found error, but I can't figure out why. I suspect that I'm not understanding how to set the role stuff correctly. Can anyone shed some light on what I'm doing wrong?