Details

    • Type: New Feature New Feature
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.1.9
    • Component/s: None
    • Labels:
      None
    • Number of attachments :
      3

      Description

      Having a native Jetty LDAP JAAS module would make it super easy to deploy secured webapplications that uses a common LDAP server. I would suggest copying Geronimo's implementation. The login module itself doesn't have any dependencies that Jetty doesn't already have from what I can tell.

      Geronimo has an implementation that work just fine outside Geronimo, but it drags with it a whole bunch of unwanted dependencies.

      For reference and other users that want to use Jetty+LDAP, this is how I configured the Geronimo JAAS login module:

        <Call name="addUserRealm">
          <Arg>
            <New class="org.mortbay.jetty.plus.jaas.JAASUserRealm">
              <Set name="name">javabin realm</Set>
              <Set name="LoginModuleName">ldap</Set>
              <Set name="roleClassNames">
                <Array type="java.lang.String">
                  <Item>org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal</Item>
                </Array>
              </Set>
            </New>
          </Arg>
        </Call>
      
      1. ldapPatch1
        4 kB
        Frederic Nizery
      2. ldapPatch2
        3 kB
        Frederic Nizery
      3. LdapPatchfile
        10 kB
        Frederic Nizery

        Activity

        Show
        Trygve Laugstøl added a comment - FYI here is Geronimo's (v 2.0.2) implementation: http://svn.apache.org/repos/asf/geronimo/server/tags/2.0.2/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/LDAPLoginModule.java
        Hide
        Frederic Nizery added a comment -

        Jesse

        Here is the patch file for LdapLoginModule.java.

        Fred

        Show
        Frederic Nizery added a comment - Jesse Here is the patch file for LdapLoginModule.java. Fred
        Hide
        Frederic Nizery added a comment -

        I made a little clean-up and add some comments.
        Still working out for both types of authentication.
        Credential still works only w/ crypt.

        I use now the tag conversion methode that you added and
        suppressed my initial conversion code lines.

        two questions:
        -Did you have a chance to discuss about MD5 problem w/ Greg?
        -Is there any plan to add SSHA.

        As SSHA means salted SHA I thought Greg should have add that in a first place

        Attached the new patch file.

        Fred

        Show
        Frederic Nizery added a comment - I made a little clean-up and add some comments. Still working out for both types of authentication. Credential still works only w/ crypt. I use now the tag conversion methode that you added and suppressed my initial conversion code lines. two questions: -Did you have a chance to discuss about MD5 problem w/ Greg? -Is there any plan to add SSHA. As SSHA means salted SHA I thought Greg should have add that in a first place Attached the new patch file. Fred
        Hide
        Jesse McConnell added a comment -

        JETTY-517 covered the additional credential bits and pieces and likely why the md5 bit for credential isn't working..

        the test case for binding that uses md5 now should give you an idea what I think is wrong with the credential checking, very determination on what is coming from the ldap server and if apacheds is typical in its implementation and storage of that credential then its an encoding and byte conversion issue

        I'll process the patch this morning though and see where we are.

        Show
        Jesse McConnell added a comment - JETTY-517 covered the additional credential bits and pieces and likely why the md5 bit for credential isn't working.. the test case for binding that uses md5 now should give you an idea what I think is wrong with the credential checking, very determination on what is coming from the ldap server and if apacheds is typical in its implementation and storage of that credential then its an encoding and byte conversion issue I'll process the patch this morning though and see where we are.
        Hide
        Jesse McConnell added a comment -

        applied your latest patch...

        I think we are good to go until we get the work on jetty-517 in place and can better support the credential style login

        Show
        Jesse McConnell added a comment - applied your latest patch... I think we are good to go until we get the work on jetty-517 in place and can better support the credential style login
        Hide
        Frederic Nizery added a comment -

        Hi Jesse

        Following your suggestion of MD5 conversion, I added such a one and reverse
        in the module and use the reverse conversion in case the credential is starting w/

        {MD5}

        . Patch attached.

        It's working now w/ MD5 on fedora-DS.
        I get the feelling that we are not sure here that we have something standard
        and working in 100% of cases.

        For instance, I link the MD5 tag format w/ the coding but it's pure conjecture.

        Currently I use the fedora-DS GUI to create the users and password. Then I let completely
        Fedora-DS do the encryption.

        Is there a GUI w/ openLdap that may give the opportunity to test the same?

        Fred

        Show
        Frederic Nizery added a comment - Hi Jesse Following your suggestion of MD5 conversion, I added such a one and reverse in the module and use the reverse conversion in case the credential is starting w/ {MD5} . Patch attached. It's working now w/ MD5 on fedora-DS. I get the feelling that we are not sure here that we have something standard and working in 100% of cases. For instance, I link the MD5 tag format w/ the coding but it's pure conjecture. Currently I use the fedora-DS GUI to create the users and password. Then I let completely Fedora-DS do the encryption. Is there a GUI w/ openLdap that may give the opportunity to test the same? Fred
        Hide
        Trygve Laugstøl added a comment -

        One question, why are you checking the hash instead of trying to bind? There are DSes that won't give you the hash if they act as a proxy to some other authentication service etc, so you might be required to bind in any case.

        Show
        Trygve Laugstøl added a comment - One question, why are you checking the hash instead of trying to bind? There are DSes that won't give you the hash if they act as a proxy to some other authentication service etc, so you might be required to bind in any case.
        Hide
        Jesse McConnell added a comment -

        binding is supported and working right now Trygve, we are mucking around with credential based for supporting non-binding authentication...which is admittedly more of an edge case..

        but bind is working right now

        Show
        Jesse McConnell added a comment - binding is supported and working right now Trygve, we are mucking around with credential based for supporting non-binding authentication...which is admittedly more of an edge case.. but bind is working right now
        Hide
        Trygve Laugstøl added a comment -

        Aha, ok. Great work!

        Show
        Trygve Laugstøl added a comment - Aha, ok. Great work!
        Hide
        Jesse McConnell added a comment -

        moved from the contrib jetty-ldap-jaas module to jetty-plus

        Show
        Jesse McConnell added a comment - moved from the contrib jetty-ldap-jaas module to jetty-plus

          People

          • Assignee:
            Jesse McConnell
            Reporter:
            Trygve Laugstøl
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: