Skip to main content

Authentication framework for JDNC.

8 replies [Last post]
bino_george
Offline
Joined: 2003-06-16

Hi Folks,
I am currently researching parts of JAAS and JNDI APIs for providing a Login/Authentication infrastructure support from JDNC.

It is one of the features we are planning for the next major release :

https://jdnc.dev.java.net/documentation/roadmap.html#schedule

I wanted to get a feel for what folks out there are using for authentication currently ? Active Directory, LDAP, NIS, Kerberos,
Certificates etc. If you are using Active Directory, what are you using for authentication (JAAS support for Active Directory is only readonly). LDAP seems to have fairly good support in JAAS/JNDI. If you are using LDAP authentication, what kind of mechanism are you using ?

Digest-MD5,CRAM-MD5,
Kerberos,
Clear text over SSL ?
Something else ?

I would appreciate your feedback, suggestions in helping me provide a useful authentication framework for JDNC.

Thanks,
Bino.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Patrick Wright

Hi

I think we may need more use cases for this. The basic case of
Login/Authentication is great, but there are at least two more I have come
across in the past

- controlling access (authorization) to features within the application

- temporary switching of user in control of app, for example for manager
override

The API needs to support both, IMO. Controlling access to app
functionality is tricky in the UI, because while menu items can be
disabled or removed, there are also read-only use cases (for forms or
tables), controlling access to other UI controls (such as buttons or other
widgets that can trigger actions).

Just wanted to add those to the list! Have no opionion right now on the
API itself.

Patrick

> Hi Folks,
> I am currently researching parts of JAAS and JNDI APIs for
> providing a Login/Authentication infrastructure support from
> JDNC.
>
> It is one of the features we are planning for the next major release :
>
> https://jdnc.dev.java.net/documentation/roadmap.html#schedule
>
> I wanted to get a feel for what folks out there are using for
> authentication currently ? Active Directory, LDAP, NIS, Kerberos,
> Certificates etc. If you are using Active Directory, what are you using
> for authentication (JAAS support for Active Directory is only readonly).
> LDAP seems to have fairly good support in JAAS/JNDI. If you are using LDAP
> authentication, what kind of mechanism are you using ?
>
> Digest-MD5,CRAM-MD5,
> Kerberos,
> Clear text over SSL ?
> Something else ?
>
> I would appreciate your feedback, suggestions in helping me provide a
> useful authentication framework for JDNC.
>
>
> Thanks,
> Bino.
> ---
> [Message sent by forum member 'bino_george' (Bino George)]
>
> http://www.javadesktop.org/forums/thread.jspa?messageID=46114됢
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jdnc-unsubscribe@jdnc.dev.java.net
> For additional commands, e-mail: jdnc-help@jdnc.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: jdnc-unsubscribe@jdnc.dev.java.net
For additional commands, e-mail: jdnc-help@jdnc.dev.java.net

bino_george
Offline
Joined: 2003-06-16

Just a quick correction to my original post :

> If you are using Active Directory,
> what are you using for authentication (JAAS support
> for Active Directory is only readonly).

I meant to say the NTLoginModule (not Active Directory).

Bino.

aaime
Offline
Joined: 2003-06-10

Acegi may be a nice reference -> http://acegisecurity.sourceforge.net/

netsql
Offline
Joined: 2004-03-07

What I did (http://www.sandrasf.com/other/sandra/javadoc/org/sandra/api/ModelApi.html)
is in Model setSec(User, Password) as api.

The model has populate, which call service, so it passes security.
That is the authentication part, from model. (Sometimes you do not need security ... for the initial few screens, so not all model needs it. Model gets it from application scope (the main Frame) and passe it to sevice level).

The encrymption part would have to be at service level thing, such as HTTPS.

I say no to all the things you listed as security protocols, that is just complex and therefore useless.

I think you should start w/ J2EE JDBC relms Container Managed Autethication like design and extend it.
You just set user id/password and then the service has to implement it. I assume you are familiar w/ how simple it was to set up security in web.xml (I do not mean any disricpect, maybe you are just a Swing guy). Something like that.
I also track the calling IP address and the request that they make. For example customers.populate("tx").
"customers" has to be in table for the group you belong in.
So remote tables are: user, password, group
and
group, command ("customers")
Lack of rows means open security.
And since it's an inteface, is somone want to implement something crazy within API, fine. Any security can be broken in any case, so no need to over do it.

I hope that helped. I do not mind to explaing more.

My sample application has a login button, that dynamicaly adds controls to the panel, and now all my models have user/password so they can access secured service "commands"

.V

netsql
Offline
Joined: 2004-03-07

A J2EE CMA AAA link, the old way:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JDBCRealm

I just added another column for "command" to secure.

.V

Nicola Ken Barozzi

Just FYI:

http://incubator.apache.org/directory/subprojects/janus/index.html

Personally the best thing for AAA in JDNC is to limit stuff to what is
not available elsewhere, especially in the Java specs arena (@see JAAS).

--
Nicola Ken Barozzi nicolaken@apache.org
- verba volant, scripta manent -
(discussions get forgotten, just code remains)
---------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: jdnc-unsubscribe@jdnc.dev.java.net
For additional commands, e-mail: jdnc-help@jdnc.dev.java.net

jtr
Offline
Joined: 2003-06-10

How pluggable would this be? In my opinion it would be nice if it supported the works but makes the common case easy. So plain ole JDBC URL authentication would work, but so would negotiating over a custom socket.

> Clear text over SSL ?

Don't underestimate cleartext. :)

While looking over someone's shoulder, I was surprised to learn that some hosted forums (PHP and the like) authenticate via cleartext (may or may not use SSL) against credentials stored in a database table or flat file.

It ain't secure, but it sure is easier to debug than Kerberos.

bino_george
Offline
Joined: 2003-06-16

jtr,

> How pluggable would this be? In my opinion it would
> be nice if it supported the works but makes the
> common case easy. So plain ole JDBC URL
> authentication would work, but so would negotiating
> over a custom socket.

Definitely, the basic interface for the authentication
should be simple and you should be able to plugin
any kind of authentication you would prefer to use.

Bino.