Seam with ldap active directory and roles
Hi,
I'm working on a seam 2.2.2 final app on jboss 5.1 that is trying to authenticate with AD. I eventually got authentication to work by making a custom identity store as suggested here: http://seamframework.org/Community/LdapIdentityStoreAndActiveDirectory which is great. What I need to do now is get access to the groups that the authenticated user is a member of for authorization purposes. Here's what I have so far:
components.xml:
<security:identity-manager name="identityManager"
identity-store="#{customLdapIdentityStore}" >
</security:identity-manager>
<security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>
<security:remember-me mode="autoLogin"/>
<event type="org.jboss.seam.security.postAuthenticate">
<action execute="#{authenticator.postAuthenticate}"/>
</event>Authenticator.java:
@Name("authenticator")
public class Authenticator
{
@Logger private Log log;
@In Identity identity;
@In Credentials credentials;
@In IdentityManager identityManager;
public void postAuthenticate()
{
log.info("postauthenticating {0}", credentials.getUsername());
try {
log.debug("roles => " + identityManager.getImpliedRoles(identity.getCredentials().getUsername()));
}catch (Exception e){
log.info("Authentication error: ", e.getCause());
}
}
@SuppressWarnings("deprecation")
public boolean authenticate()
{
log.info("authenticating {0}", credentials.getUsername());
try {
//authenticate
identityManager.authenticate(identity.getUsername(),identity.getPassword());
//add a user to the context so it can be displayed
User u = new User();
u.setPassword(identity.getPassword());
u.setUsername(identity.getUsername());
Contexts.getSessionContext().set("authenticatedUser", u);
return true;
}catch (Exception e){
log.info("Authentication error: ", e.getCause());
return false;
}
}
}The idea here is I go look for membership in a specific group to determine if their access level, which I can then store in the session for lookup on the various pages of the app.
CustomLdapIdentityStore.java:
@Name("customLdapIdentityStore")
@Startup
@AutoCreate
@Scope(ScopeType.APPLICATION)
public class CustomLdapIdentityStore extends org.jboss.seam.security.management.LdapIdentityStore{
private static final long serialVersionUID = -1250675501823301128L;
@PostConstruct
public void init() {
setServerAddress("server.company.ca");
setServerPort(389);
setBindDN("cn=admin_account,dc=company,dc=ca");
setBindCredentials("password");
setUserContextDN("ou=DEPARTMENT,ou=CITY,ou=CANADA,dc=company,dc=ca");
setUserDNPrefix("");
setUserDNSuffix("company.ca");
setUserObjectClasses(new String[]{"person","user","organizationalPerson"});
setUserNameAttribute("sAMAccountName");
setUserRoleAttribute("memberOf");
setRoleNameAttribute("distinguishedName");
setRoleAttributeIsDN(false);
setRoleContextDN("ou=COMPANY groups,dc=company,dc=ca");
setRoleDNPrefix("distinguishedName=");
setRoleDNSuffix(",ou=Company groups,dc=company,dc=ca");
setRoleObjectClass(new String[]{"group"});
setRoleNameAttribute("member");
}
@Override
protected String getUserDN(String username)
{
return String.format("%s%s%s", getUserDNPrefix(), username, "@"+getUserDNSuffix());
}
}And the error I'm getting from the catch in postAuthenticate:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Which I know is a user not found error, but I can't figure out why. I suspect that I'm not understanding how to set the role stuff correctly. Can anyone shed some light on what I'm doing wrong?