JAAS: LDAP/ActiveDirectory authentication on webapp and thick client / Swing
jmsjr Jan 22, 2014 10:14 AMJBoss AS 7.2
First of all, I alraedy have an existing webapp that asks users to authenticate via Active Directory / LDAP. I have the following in my standalone-ha.xml ( with some of the module options replaced with x.x.x.x and yyyyyy for privacy reasons ):
<security-domain name="ldap">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://x.x.x.x:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="CN=yyyy,OU=yyyy,DC=yyy,DC=yyy"/>
<module-option name="bindCredential" value="xxxxxxx"/>
<module-option name="baseCtxDN" value="DC=yyy,DC=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="DC=aas,DC=priv"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="CN"/>
</login-module>
</authentication>
</security-domain>
And in WEB-INF/jboss-web.xml, I then reference this security domain:
<jboss-web>
<security-domain>java:/jaas/ldap</security-domain><!-- This is the name of the %lt;security-domain> in standalone.xml / standalone-ha.xml -->
<security-role>
<description>Map web role names to LDAP role / principal names</description>
<role-name>INSURANCE_CONFIG_ROLE</role-name><!-- the role name appearing in the standard web.xml dd -->
<principal-name>CN=xxxxx,OU=Ixxxxx,OU=xxx,OU=xxxx,OU=xxx,DC=xxx,DC=xxx</principal-name><!-- the existing role in your credential repo -->
</security-role>
</jboss-web>
The resources are then protected in WEB-INF/web.xml whereby only the users that belong to the has the LDAP role identified in the <principal-name> in WEB-INF/boss-web.xml will be allowed access. The username and password is asked by the browser using <auth-method>BASIC</auth-method> instead of <auth-method>FORM</auth-method>.
That's all fine and dandy.
1) My first question is ....
I have a thick EJB clients using Swing, and I would like the users to be authenticated using the defined security-domains in the profile's xml file ( standalone.xml / standalone-ha.xml / domain.xml ). I would then like to use JAAS to authenticated the users where users enter their username and password in a Swing dialog box. From the looks of it, the <security-domains> are the equivalent of a JAAS javax.security.auth.login.Configuration ... but how can I have a JAAS javax.security.auth.login.Configuration that basically read from standalone.xml / standalone-ha.xml / domain.xml's <security-domain> ?
e.g. Can the <security-domains> be obtained via JNDI lookup and returned as a Configuration ... so that I can use this Configuration into a code that I will write that uses JAAS LoginContext ?
( The <security-domain> entry in jboss-web.xml looks like a JNDI name )
e.g.:
public LoginContext(String name, Subject subject,
CallbackHandler callbackHandler,
Configuration config)
.. where Configuration is taken from the security-domains ??
Note that the authentication that I am referring to / wanting to do is
- *NOT* the authentication on the JNDI / EJB lookup and is
- *NOT* the declarative security with EJB3.
2) My second question is ....
How can I have desktop SSO for both webapp and thick client ? That is, authentication is already done via the desktop ( Windows network login/password ) so use that .. but have another mechanism to authorise the users if
For a webapp, I think it is covered basically by the following
I still have to figure out what the values in the module properties should be, but can this desktop SSO be also used if JBoss EAP will be running on a linux host ??
Also, assuming all desktop SSO works as per documented above, and assuming that I have the correct values for the various module options ... For a thick-client, I would still want to obtain these security-domains from the standalone.xml / domain.xml ... which goes back to the first question .. how do I obtain it ?