we have several Seam apps that will need a security solution involving using AD for authentication and authorization.
Authentication is ok (we're using NTLM with IE browsers).
We need advice for authorization. Our security model involves having the owner's of the applications add members (end-users) to AD distribution groups via Outlook.
We have a custom Java AD library that allows us to get a list of the groups an authenticated user belongs to. We need to know whether or not it's ok to query AD real-time for multiple apps with a potential centralized AD cluster for all field sites. Any performance issues? This would happen on every JSF page load, for example, when a drop down needs to be populated for a particular role filter (e.g. only show the list of technicians).
We are considering copying the added/deleted member info from the AD distro groups to RDBMS tables but then we have the syncing issue of when/how to do this. We are also considering augmenting our db schema to add user_role info to our user table by adding multiple tables (i.e., each user can have multiple roles in multiple apps).
Any advice on this authorization portion? I can't find any best practices heuristics from microsoft regarding AD and we need to integrate our security framework with Seam ultimately. What is the JBoss best practice? The JBoss 4 official guide doesn't go into authorization in detail. thx.