Skip to main content

LDAP Login Module Not Flexible Enough

6 replies [Last post]
slominskir
Offline
Joined: 2010-11-15
Points: 0

It would be nice if the LDAPLoginModule allowed:

  • Single bind (No user search)
  • Authentication without authorization

I'm working with an existing LDAP server which I don't have control over. It doesn't allow anonymous binds and I don't have a special user just for making the initial bind and doing the search. Each user's account is priviledged enough to bind and search LDAP. In my scenario it seems like the user search part is unnecessary. I wanted to use GlassFish container managed security with JAAS so I've got a proof of concept working by using my personal account for the values in search-bind-dn and search-bind-password. This obviously isn't going into production like that though!

Another smaller issue is that my application only has two roles - a user and an admin. These roles are application specific so there are no groups in LDAP that I'm going to map to these roles. I just use the assign-groups configuration setting so that all users who authenticate successfully are given the user role. I call out specificly the one guy who is the application admin in the sun-web.xml. In my scenario the group lookup in LDAP is a waste (but it appears to not break anything though hence smaller issue).

It looks like I might have to create my own Realm and LoginModule to get around these two issues. However, my problems may just be a misunderstanding so please advise.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
slominskir
Offline
Joined: 2010-11-15
Points: 0

It looks like the JAAS class com.sun.security.auth.module.LdapLoginModule actually does exactly what I'm asking for (auth-only mode). Too bad the Glassfish class com.sun.enterprise.security.auth.login.LDAPLoginModule doesn't.

I found a few resources for creating a custom Realm and LoginModule and I've gotten it to work, but it has been a huge pain in the neck. I've encountered stuff I never wanted to have to learn about such as OSGI, HK2, and the inner-workings of Glassfish container managed security. The primary resource for getting a custom module to work was this one: http://blogs.sun.com/nithya/entry/modularized_osgi_custom_realms_in

I guess I could try the login bridge, which would allow reusing a JAAS LoginModule, but it appears to actually require more work than just creating a custom Realm and LoginModule. The bridge is discussed here: http://www.java.net/external?url=http://blogs.sun.com/nasradu8/entry/log...

Kumar Jayanti Guest
Offline
Joined: 2011-04-02
Points: 0

On 16-Apr-2011, at 12:56 AM, forums@java.net wrote:

> It looks like the JAAS class com.sun.security.auth.module.LdapLoginModule
> actually does exactly what I'm asking for (auth-only mode). Too bad the
> Glassfish class com.sun.enterprise.security.auth.login.LDAPLoginModule
> doesn't.
>
>
We will plan and try to add something which uses the com.sun.security.auth.module.LdapLoginModule for a future release. Or enhance the existing one
>
>
> I found a few resources for creating a custom Realm and LoginModule and I've
> gotten it to work, but it has been a huge pain in the neck. I've
> encountered stuff I never wanted to have to learn about such as OSGI, HK2,
> and the inner-workings of Glassfish container managed security. The primary
> resource for getting a custom module to work was this one:
> http://blogs.sun.com/nithya/entry/modularized_osgi_custom_realms_in [1]
>

You do not need OSGI and HK2 to write a custom realm. It is only if you need to make an OSGI aware realm then you need to use the blog above. Nithya will point you to another blog which would show just how to build a simple custom realm (no OSGI/HK2).

Thanks for the feedback...
>
>
>
> [1] http://blogs.sun.com/nithya/entry/modularized_osgi_custom_realms_in
>
> --
>
> [Message sent by forum member 'slominskir']
>
> View Post: http://forums.java.net/node/735641
>
>

slominskir
Offline
Joined: 2010-11-15
Points: 0

I've noticed two issues worth mentioning:

  1. I've got two login modules in my custom realm (NIS and LDAP) and if an error occurs in the first module then the stack trace is dumped to the log, but if an error occurs in the second module the stack trace isn't dumped to the log. In order to troubleshoot and see what the probem is I had to remove the first login module.
  2. My custom LDAP Login module stalls for 15 seconds each time an authentication attempt is made. I've searched google and it appears this could be due to DNS or a bug in Java. I didn't see this with the LDAP module that comes with GlassFish (probably because it uses pooling and authentication generally doesn't require a new connection).
da3m0npr0c3ss
Offline
Joined: 2007-05-22
Points: 0

Have you looked into implementing your own custom JSR 196 Client or Server authentication module? This should be sufficient for mapping a Principal and roles.
hth,
jt

slominskir
Offline
Joined: 2010-11-15
Points: 0

After glancing at JSR 196 it appears it is not for application developers, but for container vendors, so I'd like to stay away unless there really is no other choice. I'm not exactly sure where the lines are drawn, but creating a custom LoginModule and Realm might be included in that.

I've actually got a need to authenticate against NIS in addition to LDAP, and I'm not seeing any pre-made NIS support in GlassFish so I might have to get my hands dirty anyways.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

On 24/03/11 5:13 AM, forums@java.net wrote:
> My understanding is that JSR 196 is not for application developers,
> but for
> container vendors, so I'd like to stay away unless there really is no
> other
> choice. I'm not exactly where the lines are drawn, but creating a custom
> LoginModule and Realm might be included in that.
>
> I've actually got a need to authenticate against NIS in addition to LDAP,
> and I'm not seeing any pre-made NIS support in GlassFish so I might
> have to
> get my hands dirty anyways.
>
JSR 196 can give you more power just like a ServletFilter and in
addition can also handle the integration of authentication results with
the container in a standard way by using the CallerPrincipalCallback and
GroupPrincipalCallback.

GlassFish allows developers to configure their own custom JSR 196 Server
Auth Modules at the HttpServlet Layer and the SOAP Layer. IOW it
provides a way of supporting new authentication mechanisms in GlassFish
(example OpenId, OAuth or any other custom authentication etc).

Whether you need a custom 196 module or not depends on what is the
problem at hand. If the problem at hand is not a about a New
Authentication Mechanism and instead it is about using a new
Authentication Store (user database) with an existing Mechanism then it
is not a good idea to write a new SAM. Instead it can just be a new
Custom Realm.

If a JAAS login module for authenticating with the store exists with
you, then either you can wrap it up with a new Realm or you can also use
the JSR 196 Login Bridge Profile.

>
> --
>
> [Message sent by forum member 'slominskir']
>
> View Post: http://forums.java.net/node/735641
>
>