1 Reply Latest reply on Jan 22, 2014 9:24 PM by jmsjr

    JAAS: LDAP/ActiveDirectory authentication on webapp and thick client / Swing

    jmsjr Newbie

      JBoss AS 7.2

       

      First of all, I alraedy have an existing webapp that asks users to authenticate via Active Directory / LDAP. I have the following in my standalone-ha.xml ( with some of the module options replaced with x.x.x.x and yyyyyy for privacy reasons ):

       

                      <security-domain name="ldap">

                          <authentication>

                              <login-module code="LdapExtended" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://x.x.x.x:yyyy"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="bindDN" value="CN=yyyy,OU=yyyy,DC=yyy,DC=yyy"/>

                                  <module-option name="bindCredential" value="xxxxxxx"/>

                                  <module-option name="baseCtxDN" value="DC=yyy,DC=yyy"/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="rolesCtxDN" value="DC=aas,DC=priv"/>

                                  <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="roleAttributeID" value="memberOf"/>

                                  <module-option name="roleNameAttributeID" value="CN"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      And in WEB-INF/jboss-web.xml, I then reference this security domain:

       

      <jboss-web>

          <security-domain>java:/jaas/ldap</security-domain><!-- This is the name of the %lt;security-domain&gt; in standalone.xml / standalone-ha.xml -->

          <security-role>

              <description>Map web role names to LDAP role / principal names</description>

              <role-name>INSURANCE_CONFIG_ROLE</role-name><!-- the role name appearing in the standard web.xml dd  -->

              <principal-name>CN=xxxxx,OU=Ixxxxx,OU=xxx,OU=xxxx,OU=xxx,DC=xxx,DC=xxx</principal-name><!-- the existing role in your credential repo -->

          </security-role>

      </jboss-web>

       

      The resources are then protected in WEB-INF/web.xml whereby only the users that belong to the has the LDAP role identified in the <principal-name> in WEB-INF/boss-web.xml will be allowed access. The username and password is asked by the browser using <auth-method>BASIC</auth-method> instead of <auth-method>FORM</auth-method>.


      That's all fine and dandy.

       

       

      1) My first question is ....

       

      I have a thick EJB clients using Swing, and I would like the users to be authenticated using the defined security-domains in the profile's xml file ( standalone.xml  / standalone-ha.xml / domain.xml ). I would then like to use JAAS to authenticated the users where users enter their username and password in a Swing dialog box. From the looks of it, the <security-domains> are the equivalent of a JAAS javax.security.auth.login.Configuration ... but how can I have a JAAS javax.security.auth.login.Configuration that basically read from standalone.xml / standalone-ha.xml / domain.xml's <security-domain> ?

      e.g. Can the <security-domains> be obtained via JNDI lookup and returned as a Configuration ... so that I can use this Configuration into a code that I will write that uses JAAS LoginContext ?


      ( The <security-domain> entry in jboss-web.xml looks like a JNDI name )


      e.g.:


      public LoginContext(String name, Subject subject,

                              CallbackHandler callbackHandler,

                              Configuration config)


      .. where Configuration is taken from the security-domains ??


      Note that the authentication that I am referring to / wanting to do is

      • *NOT* the authentication on the JNDI / EJB lookup and is
      • *NOT* the declarative security with EJB3.



      2) My second question is ....


      How can I have desktop SSO for both webapp and thick client ? That is, authentication is already done via the desktop ( Windows network login/password ) so use that .. but have another mechanism to authorise the users if

      For a webapp, I think it is covered basically by the following


      https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#About_SPNEGO


      I still have to figure out what the values in the module properties should be, but can this desktop SSO be also used if JBoss EAP will be running on a linux host ??

      Also, assuming all desktop SSO works as per documented above, and assuming that I have the correct values for the various module options ... For a thick-client, I would still want to obtain these security-domains from the standalone.xml / domain.xml  ... which goes back to the first question .. how do I obtain it ?



        • 1. Re: JAAS: LDAP/ActiveDirectory authentication on webapp and thick client / Swing
          jmsjr Newbie

          Never mind ... Was thinking about it in a too much complicated way.

           

          The actual names of the security domains in standalone-*xml / domain.xml are already available as a name entry in the Configuration. That is, the Configuration is already set when used within the container.

          So in my example above, where I have:

           

          <security-domain name="ldap">

           

          .. all that is needed was to reference the name of the security domain in the LoginContext constructor ... e.g.:

           

          UsernamePasswordHandler usernamePasswordHandler = new UsernamePasswordHandler(principal, credential);

          LoginContext loginContext = new LoginContext("ldap", usernamePasswordHandler);

           

          ... and it all works.

           

          Also, JNDI lookup via

           

          InitialContext.lookup( "java:/jaas/ldap" );

           

          does not work, despite it looking like a JNDI entry in jboss-web.xml