0 Replies Latest reply on Oct 25, 2003 2:57 AM by davout

    User based access of external systems

    davout

      I have a java app that uses a number of other external applications as part of its business logic.

      These include other custom apps, LDAP and RDBMS data servers. My Java app has its own authentication scheme that uses JAAS.

      When it comes to connecting to these other external systems normally you might expect the Java application to use a single authentication credential as a means of accessing the external system.

      However, in this case the requirement is that all external system access should be identified by
      the orginating user. Hence, if 'Joe' is the user connecting to my Java app then 'Joe' should be
      the user connecting to the external custom, RDBMS or LDAP system.

      Looking at JAAS it seems that I could handle this be creating LoginModule implementations for each
      external system, but there are a couple of issues to resolve...

      First, some systems like JNDI/LDAP return a class instance (e.g. DirContext for JNDI) as a result
      of the successful login. Given that my Java business logic has to employ a user specific context

      when communicating with the external system how should I obtain this?

      For example if I'm accessing an LDAP server to perform data operations then if Joe is the
      originating Java app user when it comes to performing the LDAP operations these must be performed using a JNDI DirContext that is specific to Joe. How should I retrieve this? As the DirContext is
      created as part of the LoginModule 'login' method should I store it somewhere within the LoginModule 'commit' method? Or should I retrieve the authentication parameters from the Subject and then create a new JNDI connection?

      Second, if I use multiple JAAS LoginModules then this is likely to require multiple sets of user ID's and passwords (i.e. the LDAP server credentials are unlikely to be the same as those required for a RDBMS). This is a web based system. How should I obtain, package and store the multiple sets of credentials?

      By the way single sign-on is not available as an option.