Jetty

Implement LDAP JAAS Realm

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 6.1.9
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    3

Description

Having a native Jetty LDAP JAAS module would make it super easy to deploy secured webapplications that uses a common LDAP server. I would suggest copying Geronimo's implementation. The login module itself doesn't have any dependencies that Jetty doesn't already have from what I can tell.

Geronimo has an implementation that work just fine outside Geronimo, but it drags with it a whole bunch of unwanted dependencies.

For reference and other users that want to use Jetty+LDAP, this is how I configured the Geronimo JAAS login module:

  <Call name="addUserRealm">
    <Arg>
      <New class="org.mortbay.jetty.plus.jaas.JAASUserRealm">
        <Set name="name">javabin realm</Set>
        <Set name="LoginModuleName">ldap</Set>
        <Set name="roleClassNames">
          <Array type="java.lang.String">
            <Item>org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal</Item>
          </Array>
        </Set>
      </New>
    </Arg>
  </Call>
  1. File
    ldapPatch1
    05/Mar/08 3:00 AM
    4 kB
    Frederic Nizery
  2. File
    ldapPatch2
    07/Mar/08 8:26 AM
    3 kB
    Frederic Nizery
  3. File
    LdapPatchfile
    29/Feb/08 10:22 AM
    10 kB
    Frederic Nizery

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Trygve Laugstøl added a comment -

FYI here is Geronimo's (v 2.0.2) implementation: http://svn.apache.org/repos/asf/geronimo/server/tags/2.0.2/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/LDAPLoginModule.java

Show
Trygve Laugstøl added a comment - FYI here is Geronimo's (v 2.0.2) implementation: http://svn.apache.org/repos/asf/geronimo/server/tags/2.0.2/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/LDAPLoginModule.java
Hide
Permalink
Frederic Nizery added a comment -

Jesse

Here is the patch file for LdapLoginModule.java.

Fred

Show
Frederic Nizery added a comment - Jesse Here is the patch file for LdapLoginModule.java. Fred
Hide
Permalink
Frederic Nizery added a comment -

I made a little clean-up and add some comments.
Still working out for both types of authentication.
Credential still works only w/ crypt.

I use now the tag conversion methode that you added and
suppressed my initial conversion code lines.

two questions:
-Did you have a chance to discuss about MD5 problem w/ Greg?
-Is there any plan to add SSHA.

As SSHA means salted SHA I thought Greg should have add that in a first place

Attached the new patch file.

Fred

Show
Frederic Nizery added a comment - I made a little clean-up and add some comments. Still working out for both types of authentication. Credential still works only w/ crypt. I use now the tag conversion methode that you added and suppressed my initial conversion code lines. two questions: -Did you have a chance to discuss about MD5 problem w/ Greg? -Is there any plan to add SSHA. As SSHA means salted SHA I thought Greg should have add that in a first place Attached the new patch file. Fred
Hide
Permalink
Jesse McConnell added a comment -

JETTY-517 covered the additional credential bits and pieces and likely why the md5 bit for credential isn't working..

the test case for binding that uses md5 now should give you an idea what I think is wrong with the credential checking, very determination on what is coming from the ldap server and if apacheds is typical in its implementation and storage of that credential then its an encoding and byte conversion issue

I'll process the patch this morning though and see where we are.

Show
Jesse McConnell added a comment - JETTY-517 covered the additional credential bits and pieces and likely why the md5 bit for credential isn't working.. the test case for binding that uses md5 now should give you an idea what I think is wrong with the credential checking, very determination on what is coming from the ldap server and if apacheds is typical in its implementation and storage of that credential then its an encoding and byte conversion issue I'll process the patch this morning though and see where we are.
Hide
Permalink
Jesse McConnell added a comment -

applied your latest patch...

I think we are good to go until we get the work on jetty-517 in place and can better support the credential style login

Show
Jesse McConnell added a comment - applied your latest patch... I think we are good to go until we get the work on jetty-517 in place and can better support the credential style login
Hide
Permalink
Frederic Nizery added a comment -

Hi Jesse

Following your suggestion of MD5 conversion, I added such a one and reverse
in the module and use the reverse conversion in case the credential is starting w/

{MD5}

. Patch attached.

It's working now w/ MD5 on fedora-DS.
I get the feelling that we are not sure here that we have something standard
and working in 100% of cases.

For instance, I link the MD5 tag format w/ the coding but it's pure conjecture.

Currently I use the fedora-DS GUI to create the users and password. Then I let completely
Fedora-DS do the encryption.

Is there a GUI w/ openLdap that may give the opportunity to test the same?

Fred

Show
Frederic Nizery added a comment - Hi Jesse Following your suggestion of MD5 conversion, I added such a one and reverse in the module and use the reverse conversion in case the credential is starting w/ {MD5} . Patch attached. It's working now w/ MD5 on fedora-DS. I get the feelling that we are not sure here that we have something standard and working in 100% of cases. For instance, I link the MD5 tag format w/ the coding but it's pure conjecture. Currently I use the fedora-DS GUI to create the users and password. Then I let completely Fedora-DS do the encryption. Is there a GUI w/ openLdap that may give the opportunity to test the same? Fred
Hide
Permalink
Trygve Laugstøl added a comment -

One question, why are you checking the hash instead of trying to bind? There are DSes that won't give you the hash if they act as a proxy to some other authentication service etc, so you might be required to bind in any case.

Show
Trygve Laugstøl added a comment - One question, why are you checking the hash instead of trying to bind? There are DSes that won't give you the hash if they act as a proxy to some other authentication service etc, so you might be required to bind in any case.
Hide
Permalink
Jesse McConnell added a comment -

binding is supported and working right now Trygve, we are mucking around with credential based for supporting non-binding authentication...which is admittedly more of an edge case..

but bind is working right now

Show
Jesse McConnell added a comment - binding is supported and working right now Trygve, we are mucking around with credential based for supporting non-binding authentication...which is admittedly more of an edge case.. but bind is working right now
Hide
Permalink
Trygve Laugstøl added a comment -

Aha, ok. Great work!

Show
Trygve Laugstøl added a comment - Aha, ok. Great work!
Hide
Permalink
Jesse McConnell added a comment -

moved from the contrib jetty-ldap-jaas module to jetty-plus

Show
Jesse McConnell added a comment - moved from the contrib jetty-ldap-jaas module to jetty-plus

People

  • Assignee:
    Jesse McConnell
    Reporter:
    Trygve Laugstøl
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: