Jerry Jacob's Blog

LDAP(Active Directory) based authentication in JBoss Seam

Posted in Java/ J2EE, Uncategorized by jerlinworld on March 13, 2012

Method 1:

Modify your components.xml and add security:identity-manager element and security:ldap-identity-store element.  Authenticator.Authenticate method WILL get called when your user logs in.


<security:rule-based-permission-resolver security-rules="#{securityRules}"/>

<security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>

<security:identity-manager identity-store="#{activeDirectory}"/>

<security:ldap-identity-store name="activeDirectory"
server-address="subdomain.active.directory.org"
server-port="389"
bind-DN="cn=Jacob Jerry,ou=Users,ou=Company,dc=ia,dc=com"
bind-credentials="password"
user-name-attribute="sAMAccountName"
first-name-attribute="givenName"
last-name-attribute="sn"
user-DN-prefix=""
user-DN-suffix="ia.com"
user-context-DN="OU=Users,ou=Company,dc=ia,dc=com"
role-context-DN="OU=Groups,ou=Company,dc=ia,dc=com"
user-role-attribute="memberOf"
role-name-attribute="sAMAccountName"
user-object-classes="person,user,organizationalPerson"
role-object-classes="group"/>

Inject IdentityManager in Authenticator.java
@In(“#{identityManager}”)
IdentityManager identMgr;

and authenticate the user

identMgr.authenticate( credentials.getUsername()+”@”, credentials.getPassword() ));

Why I appended ‘@’ after the username? The user-DN-suffix in my case is actually @ia.com. But it was giving an error in components.xml.

 

Method 2:

Modify your components.xml and add jaas-config-name attribute to security:identity element.  Normally if you add this attribute authenticate-method attribute will have no effect. But adding a post authenticate event listener action could resolve this issue. Authenticator.Authenticate method WILL get called if you have the action listener specified in here.


<security:identity remember-me="true" jaas-config-name="activeDirectory"/>

<event type="org.jboss.seam.security.postAuthenticate">
   <action execute="#{authenticator.authenticate}"/>
</event>

In this method, you will have to define your application policy in the server login-config.xml. You may find your local JBoss login-config.xml in the deployment folder \jboss-eap\jboss-as\server\default\conf. Here is my entry to this file

<application-policy name="activeDirectory">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
            <module-option name="java.naming.provider.url">ldap://subdomain.active.directory.org:389</module-option>
            <module-option name="bindDN">cn=Jacob\, Jerry,OU=Users,ou=Company,dc=ia,dc=com</module-option>
            <module-option name="bindCredential">password</module-option>
            <module-option name="baseCtxDN">OU=Users,ou=Company,dc=ia,dc=com</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="rolesCtxDN">OU=Groups,ou=Company,dc=ia,dc=com</module-option>
            <module-option name="roleFilter">(sAMAccountName={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
            <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
        </login-module>
    </authentication>
</application-policy>

Advertisements