JAAS configuration and LDAP login module in JavaEE 6

Oleg picture Oleg · Mar 1, 2013 · Viewed 10.8k times · Source

I'm writing a question here because I haven't been able to find the solution myself for months. My situation: I have a client-server application written on java which uses Java2ee 6 and EJB3.0. The server side is deployed on the glassfish 3.0. I need to develop/implement the login module for application. Authentification must be done using ldap server and authorisation will be handled inside application. Therefore I want to hire JAAS technology to mix authentification and authorisation. I'm doing it for example like here. Then I follow this tutorial and official documentation to perform login. My problem is that ldap login doesn't work.

My code:

    LoginContext lc = null;

    try {
        CallbackHandler handler = new CallbackHandler() {
            public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
                for( int i = 0; i < callbacks.length; i++ ) {
                    if( callbacks[i] instanceof NameCallback ) {
                        // prompt the user for a username
                          NameCallback nc = (NameCallback)callbacks[i];
                          nc.setName("admin");
                          System.out.println("Login done.");
                    } else if( callbacks[i] instanceof PasswordCallback ) {
                        // prompt the user for sensitive information
                          PasswordCallback pc = (PasswordCallback)callbacks[i];
                          pc.setPassword("mypassword".toCharArray());
                          System.out.println("Password done.");
                    } else {
                        throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
                    } //end if/else
                } //end for()
            }
        };

        lc = new LoginContext("myAuth", handler);
        lc.login();
        Subject subject = lc.getSubject();
    } catch (LoginException e) {
        e.printStackTrace();
    }

My JAAS configuration file:

myAuth {
com.sun.enterprise.security.auth.login.LDAPLoginModule REQUIRED
userProvider="ldap://mydomain:389/OU=users,DC=my,DC=domain,DC=com"
authIdentity="{USERNAME}"
    useSSL=false
debug=true;
};

The client part of application is run with the following jvm options:

-Djava.security.auth.login.config=./jaas.conf  -Dorg.omg.CORBA.ORBInitialHost=localhost

On the glassfish site I set the jvm properties

-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Djava.naming.referral=follow

The login.conf file on the glassfish side contains the following lines (ADRealm is the default realm of my glassfish)

ADRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule REQUIRED;
};

Settings for ADRealm:

      <property name="jaas-context" value="ldapRealm" />
      <property name="base-dn" value="CN=users,DC=my,DC=domain,DC=com" />
      <property name="directory" value="ldap://mydomain:3268" />
      <property name="search-bind-password" value="mypassword" />
      <property name="search-bind-dn" value="[email protected]" />

I want to stress your attention that I'm trying to perform ldap login at least to be sure that it works.

When I run the client I get the following error:

Mar 1, 2013 1:36:44 PM com.sun.appserv.security.AppservPasswordLoginModule extractCredentials
SEVERE: passwordlm.nopwdcred
javax.security.auth.login.LoginException: No credentials.

What is strange that is worked once(!), i.e. I could obtain subject from lc.getSubject() method. Also I assume that handle() method above is not invoked since I don't see

Login done.
Password done.

in the output.

Please could anybody help me???

Answer

Giorgio Desideri picture Giorgio Desideri · May 17, 2013

1st - On LDAP you don't use an admin user, but create another user with necessary criteria to search and/or bind if necessary. An admin user isn't secure and not recommended, especially in a Java EE context.

2nd - What kind of LDAP server do you try to connect to? OpenLDAP or an Exchange server?

I'm referring you to these links, while waiting for your response: