Menu

#147 Add support for standard J2EE security

open
nobody
None
5
2009-11-13
2009-11-13
Apps Direct
No

Hi.

As of now you have only custom implementation for user authentication and authorization. You also have very simple LDAP authentication which is not working with more comprehensive LDAP servers . For example:
1. when no anonymous access to LDAP is available
2. user is member of several goups
3. non-standard attribute names are used in LDAP
If you start using declarative security configured in web.xml and request.isUserInRole then you start automatically support all different kinds of J2EE containers with more advanced security REALM configurations, for example like Tomcat 6: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
For your reference here is our current Realm configuration we use for LDAP authentication in our development Tomcat 6:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://sbs01:389"
connectionName="CN=Dev Tool Admin,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Senseicorp,DC=local"
connectionPassword="some_password"

userBase="OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Senseicorp,DC=local"
userSearch="(mailNickname={0})"

roleBase="OU=Security Groups,OU=MyBusiness,DC=Senseicorp,DC=local"
roleName="cn"
roleSearch="(member={0})"
/>

As you can see our users located in one place and groups in another. And we configured it easily because Tomcat configuration has all nesessary attributes for that. Unfortunately your LDAP configuration is too simple for real world. So to avoid all troubles with real LDAP authentication you can just implement support of standard J2EE container authentication and users will do the rest. You don't need any Spring classes to do that: it is all in J2EE API already. All contemporary J2EE containers support different ways to configure realm.

With using your own custom authentication you are limiting our choices to use your system efficiently. It is good style to use more standard solutions so your customers will have a choice.

If you need any help with implementation of this, please let me know.

Discussion


Log in to post a comment.