1 Reply Latest reply on Jan 22, 2014 9:24 PM by jmsjr

    JAAS: LDAP/ActiveDirectory authentication on webapp and thick client / Swing

    jmsjr Newbie

      JBoss AS 7.2


      First of all, I alraedy have an existing webapp that asks users to authenticate via Active Directory / LDAP. I have the following in my standalone-ha.xml ( with some of the module options replaced with x.x.x.x and yyyyyy for privacy reasons ):


                      <security-domain name="ldap">


                              <login-module code="LdapExtended" flag="required">

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldap://x.x.x.x:yyyy"/>

                                  <module-option name="java.naming.security.authentication" value="simple"/>

                                  <module-option name="bindDN" value="CN=yyyy,OU=yyyy,DC=yyy,DC=yyy"/>

                                  <module-option name="bindCredential" value="xxxxxxx"/>

                                  <module-option name="baseCtxDN" value="DC=yyy,DC=yyy"/>

                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="rolesCtxDN" value="DC=aas,DC=priv"/>

                                  <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                  <module-option name="roleAttributeID" value="memberOf"/>

                                  <module-option name="roleNameAttributeID" value="CN"/>





      And in WEB-INF/jboss-web.xml, I then reference this security domain:



          <security-domain>java:/jaas/ldap</security-domain><!-- This is the name of the %lt;security-domain&gt; in standalone.xml / standalone-ha.xml -->


              <description>Map web role names to LDAP role / principal names</description>

              <role-name>INSURANCE_CONFIG_ROLE</role-name><!-- the role name appearing in the standard web.xml dd  -->

              <principal-name>CN=xxxxx,OU=Ixxxxx,OU=xxx,OU=xxxx,OU=xxx,DC=xxx,DC=xxx</principal-name><!-- the existing role in your credential repo -->




      The resources are then protected in WEB-INF/web.xml whereby only the users that belong to the has the LDAP role identified in the <principal-name> in WEB-INF/boss-web.xml will be allowed access. The username and password is asked by the browser using <auth-method>BASIC</auth-method> instead of <auth-method>FORM</auth-method>.

      That's all fine and dandy.



      1) My first question is ....


      I have a thick EJB clients using Swing, and I would like the users to be authenticated using the defined security-domains in the profile's xml file ( standalone.xml  / standalone-ha.xml / domain.xml ). I would then like to use JAAS to authenticated the users where users enter their username and password in a Swing dialog box. From the looks of it, the <security-domains> are the equivalent of a JAAS javax.security.auth.login.Configuration ... but how can I have a JAAS javax.security.auth.login.Configuration that basically read from standalone.xml / standalone-ha.xml / domain.xml's <security-domain> ?

      e.g. Can the <security-domains> be obtained via JNDI lookup and returned as a Configuration ... so that I can use this Configuration into a code that I will write that uses JAAS LoginContext ?

      ( The <security-domain> entry in jboss-web.xml looks like a JNDI name )


      public LoginContext(String name, Subject subject,

                              CallbackHandler callbackHandler,

                              Configuration config)

      .. where Configuration is taken from the security-domains ??

      Note that the authentication that I am referring to / wanting to do is

      • *NOT* the authentication on the JNDI / EJB lookup and is
      • *NOT* the declarative security with EJB3.

      2) My second question is ....

      How can I have desktop SSO for both webapp and thick client ? That is, authentication is already done via the desktop ( Windows network login/password ) so use that .. but have another mechanism to authorise the users if

      For a webapp, I think it is covered basically by the following


      I still have to figure out what the values in the module properties should be, but can this desktop SSO be also used if JBoss EAP will be running on a linux host ??

      Also, assuming all desktop SSO works as per documented above, and assuming that I have the correct values for the various module options ... For a thick-client, I would still want to obtain these security-domains from the standalone.xml / domain.xml  ... which goes back to the first question .. how do I obtain it ?

        • 1. Re: JAAS: LDAP/ActiveDirectory authentication on webapp and thick client / Swing
          jmsjr Newbie

          Never mind ... Was thinking about it in a too much complicated way.


          The actual names of the security domains in standalone-*xml / domain.xml are already available as a name entry in the Configuration. That is, the Configuration is already set when used within the container.

          So in my example above, where I have:


          <security-domain name="ldap">


          .. all that is needed was to reference the name of the security domain in the LoginContext constructor ... e.g.:


          UsernamePasswordHandler usernamePasswordHandler = new UsernamePasswordHandler(principal, credential);

          LoginContext loginContext = new LoginContext("ldap", usernamePasswordHandler);


          ... and it all works.


          Also, JNDI lookup via


          InitialContext.lookup( "java:/jaas/ldap" );


          does not work, despite it looking like a JNDI entry in jboss-web.xml