1 Reply Latest reply on Oct 3, 2005 2:07 AM by niwhsa

Problem with programmatic authentication with LDAP

sivaprasad_u Sep 26, 2005 5:58 AM

Hi,

We are doing programmatic authentication with LDAP. (sample code given below).
After authenticaion deligated call to another secured session bean, it is again going thru security domain, even though user has required roles.

i.e. again going thru the security domain, meaning roles have not been propagated to tomcat container.

// Perform LDAP Authenticaion
try
{
SimplePrincipal user = new SimplePrincipal("testuser2");
String pwd = "testpassword";
String securityDomain = "LDAPDomain";
SecurityAssociationHandler handler = new SecurityAssociationHandler();
handler.setSecurityInfo(user, pwd);

LoginContext lc = new LoginContext(securityDomain, handler);
lc.login();

Subject subject = lc.getSubject();
Iterator it = subject.getPrincipals().iterator();

}
} catch(Exception e)
{
System.out.println("** Wrong Username or Password **** ");
e.printStackTrace();
}

// Delegating call to another session bean
try
{
InitialContext ctx = new InitialContext();
ClientServiceHome home_obj = (ClientServiceHome)ctx.lookup("shares/ClientService");
ClientService remoteObj = (ClientService)home_obj.create();
remoteObj.Ldap_Authentication();
}catch(Exception e)
{
System.out.println("**** Exception while delegating call to secured session Bean...\n");
e.printStackTrace();
}

LDAP Config:

<application-policy name = "LDAPDomain">

<login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name = "java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name = "java.naming.provider.url">ldap://172.19.151.202:389/</module-option>
<module-option name = "java.naming.security.authentication">simple</module-option>
<module-option name = "principalDNPrefix">uid=</module-option>
<module-option name = "uidAttributeID">roleOccupant</module-option>
<module-option name = "roleAttributeID">cn</module-option>
<module-option name = "principalDNSuffix">,ou=People,dc=example,dc=com</module-option>
<module-option name = "rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
<module-option name = "matchOnUserDN">true</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>

<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>

</application-policy>

1. Re: Problem with programmatic authentication with LDAP

niwhsa Oct 3, 2005 2:07 AM (in response to sivaprasad_u)

Well seems like you are calling EJBs from the login module (LM) . The problem is that the LM commit() has not be called and untill commit() is called the A&A information is not valid for the subject!!.

Why dont you make the EJBs that you call from LM insecure?
Actions