1 2 Previous Next 22 Replies Latest reply on Jul 18, 2005 6:19 AM by Darran Lofthouse

    nt domain security

    fede Newbie

      Hi,
      I want to integrate jboos security with the users and groups defined in windows nt domain, I have used the jaas implementation for nt (NTLoginModule) provided by sun but it don´t provides the roles (groups) as required by jboossx.
      Is this possible or a need to implement my own LoginModule to authenticate users agains nt?
      Thanks,
      Fede.

        • 1. Re: nt domain security
          William Kaufman Newbie

          I think you have to extend org.jboss.security.auth.spi.AbstractServerLoginModule
          and override the
          login(),
          getRoleSets(),
          getIdentity()
          methods.


          • 2. Re: nt domain security
            Scott Stark Master

            See my JavaWorld article that talks about creating custom login modules.
            http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html

            • 3. Re: nt domain security
              James Hicks Newbie

              I used a modified version of jCIFS from jcifs.samba.org to authenticate against our nt domain. This hack doesn't actually authenticate against the SAM. It uses an smb share on the server to authenticate the users. I don't use the NT roles though. My application has its own set of custom roles for the users. Im not sure how you would get this. From what I here, Weblogic teamed with JIntegra and they are offering an NT authentication module with their server. If you want to spend the cash on JIntegra, it will should be able to get the NT information for you.

              • 4. Re: nt domain security
                fede Newbie

                I follow the steps of the article and I implement a custom login model for my application and it works ok, it don't use nt domain security but database security. I tried to use the NTLoginModule (a jaas implementation for nt provided by sun) to authenticate user on the server side, but it didn't work for 3 reasons:
                1 - It only autenthicate a user thas is already logged in the system (it works fine for client side authentication and single sign on, but not for jboss)
                2 - It don't use the Group interface to identify de groups of a subject, it uses NtGroup than don't implemnet the Group interface.
                3 - The name of the group aren't really names, are ids of the groups.
                I'll ask JIntegra if they have a real jaas implementation for nt domain security.
                If they don't, I'll implementate a LoginModule using JNI to invoke the win32 security api.
                Thanks,
                Fede.

                • 5. Re: nt domain security
                  larry bartz Newbie

                  stimpy,

                  Does your LoginModule engage the client's browser in the NTLM challenge/response dialog? Or does it collect the logname, domain, and passphrase from the user and authenticate to NT as a proxy?

                  Either way, I'd very much appreciate it if you would share your code.

                  Thanks in advance,

                  • 6. Re: nt domain security
                    James Hicks Newbie

                    It collects the username and password from the user (BASIC or FORM) and sends it to the login module which uses the modified copy of jCIFS to authenticate against an SMB share on a server. Right now the domain is hardcoded, but it could be easily changed to accept a domain from the user. It doesn't require a client to be using Windows or IE, it's all on the server side.

                    I found the method to authenticate using jCIFS on jCIFS mailing list. just do a search for authenticate on their mailing list ( ive already forgotten where ). If you can't find it, let me know, I will send you the patch for jCIFS.

                    This all worked on 2.2.4. I haven't tested it with 3.0, but I will be doing it soon.

                    • 7. Re: nt domain security
                      larry bartz Newbie

                      stimpy,

                      I have the jCIFS distro. What part(s) of jCIFS did you change/patch and why?

                      • 8. Re: nt domain security
                        Manfred Regele Newbie

                        For code-samples using IE Explorer and challenge/response you could perhapes use this jguru-thread:

                        http://www.jguru.com/faq/viewquestion.jsp?EID=393110

                        Manfred.

                        • 9. Re: nt domain security
                          Brad Leupen Newbie

                          i would encourage people to look at connecting JBoss to Active Directory via LDAP for Windows-based authentication. We have implemented custom logon modules using this and the jCIFS approach. Active Directory is the way to go for Win2K networks, imho.

                          b

                          • 10. Re: nt domain security
                            David Myers Newbie

                            bleupen-

                            Your suggestion does appear to be the best way to go (for authenticating against NT). Is this something you've successfully done? If so, can you share your design specifics (and 'gotchas') with those of us just starting out on this path?

                            Thanks.

                            • 11. Re: nt domain security
                              Brad Leupen Newbie

                              dmyers,

                              yes, we have successfully implemented an Active Directory plugin for Jboss. the bridge authenticates the user and populates his/her security creditials with those defined in Active Directory. this way you can control access to web/business components via Active Directory security. we have also implemented a BMP EJB wrapper for querying AD and representing users/groups as objects in your application.

                              This all works really well and is pretty much instantaneous. There were no major gotchas (except for one) but here are the challenges that we faced:

                              1. Understanding the LDAP attributes exposed by Active Directory - this was the first LDAP project we had done with AD.

                              2. Understanding which JBossSX class to subclass to create our module. We wound up subclassing the UsernamePasswordLoginModule and overriding the validatePassword() method to include the bulk of the LDAP logic.

                              3. Performing the correct queries to grab security roles.

                              4. (big gotcha)Coming to terms with the fact that there is NO WAY (as far as i can tell) to obtain the user's default NT security group (e.g. Domain Users) via 100% Java JNDI queries. This sounds counterintuitive but it is true. For performance reasons, Active Directory does not store a direct reference to the user's primary group. Instead, the primary group is derived by a function performed on the user's SID. While this is pretty easy to do in VB, there is no java class that will compute this for you. We wound up allowing the user to specify the default Windows group as an XML parameter (usually everybody in an organization has the same default group and that group is usually "Domain Users").

                              I'd be happy to answer any questions you might have about this.

                              brad

                              • 12. Re: nt domain security
                                Brad Leupen Newbie

                                why do messages on this bbs not show up right away?

                                b

                                • 13. standalone client: SecurityException: no protocol: auth.conf
                                  Nee Newbie

                                  I'm trying to set up the file-based JAAS sample described in the docs, but with my own beans, instead of the beans in the sample, and I'm using a standalone client, instead of a servlet.

                                  I think I have everything set up, including putting the "client/auth.conf" into the client jar file.

                                  Unfortunately, when my client tries to create the LoginContext, I get the following exception:

                                  --------------------
                                  java.lang.SecurityException: no protocol: auth.conf
                                  at com.sun.security.auth.login.ConfigFile.getAppConfigurationEntry(ConfigFile.java:221)
                                  at javax.security.auth.login.LoginContext.init(LoginContext.java:172)
                                  at javax.security.auth.login.LoginContext.(LoginContext.java:319)
                                  --------------------

                                  I know that the client is reading the auth.conf file, because before I copied the "client/auth.conf" file and set the "java.security.auth.login.config" property, I was getting a different exception, "Unable to locate a login configuration".
                                  What could be going wrong here? Is there some way to get more information? Is there someplace where this is well-documented?

                                  Just in case, I'll include the "auth.conf" file here:
                                  ------------------
                                  other {
                                  // Put your login modules that work without jBoss here

                                  // jBoss LoginModule
                                  org.jboss.security.ClientLoginModule required;

                                  // Put your login modules that need jBoss here
                                  };
                                  ------------------

                                  • 14. Re: nt domain security
                                    Kevin McIntyre Newbie

                                    If anyone is interested I've created a NTLoginModule.

                                    The basis for the Module is a JNDILoginModule that does a lookup, cast, home.create() the remote object must be an instanceof AbstractLoginModule. The reason it's wrapped it to allow non-M$ machine to authenticated against a windows domain. A workstation or PDC running JNDIServer is necessary. Basically I have a very minimal jboss instance running on the PDC. The NTLoginModule can use the freetagish stuff. I created my own that invokes a set of perl scripts. It's a hack, but it allows me to add users to the domain and modify groups etc etc.

                                    1 2 Previous Next